passlib.hash.oracle11 - Oracle 11g password hash

This class implements the hash algorithm introduced in version 11g of the Oracle Database. It supersedes the Oracle 10 password hash. This class can be can be used directly as follows:

>>> from passlib.hash import oracle11 as oracle11

>>> # generate new salt, hash password
>>> hash = oracle11.hash("password")
>>> hash

>>> # verify password
>>> oracle11.verify("password", hash)
>>> oracle11.verify("secret", hash)

See also

the generic PasswordHash usage examples


This implementation has not been compared very carefully against the official implementation or reference documentation, and its behavior may not match under various border cases. caveat emptor.


class passlib.hash.oracle11

This class implements the Oracle11g password hash, and follows the PasswordHash API.

It supports a fixed-length salt.

The using() method accepts the following optional keywords:

  • salt (str) – Optional salt string. If not specified, one will be autogenerated (this is recommended). If specified, it must be 20 hexadecimal characters.
  • relaxed (bool) –

    By default, providing an invalid value for one of the other keywords will result in a ValueError. If relaxed=True, and the error can be corrected, a PasslibHashWarning will be issued instead. Correctable errors include salt strings that are too long.

    New in version 1.6.

Format & Algorithm

An example oracle11 hash (of the string password) is:


An oracle11 hash string has the format S:checksumsalt, where:

  • S: is the prefix used to identify oracle11 hashes (as distinct from oracle10 hashes, which have no constant prefix).

  • checksum is 40 hexadecimal characters; encoding a 160-bit checksum.

    (4143053633E59B4992A8EA17D2FF542C9EDEB335 in the example)

  • salt is 20 hexadecimal characters; providing a 80-bit salt (C886EED9C80450C1B4E6 in the example).

The Oracle 11 hash has a very simple algorithm: The salt is decoded from its hexadecimal representation into binary, and the SHA-1 digest of passwordraw_salt is then encoded into hexadecimal, and returned as the checksum.


Passlib’s implementation of the Oracle11g hash may deviate from the official implementation in unknown ways, as there is no official documentation. There is only one known issue:

  • Unicode Policy

    Lack of testing (and test vectors) leaves it unclear as to how Oracle 11g handles passwords containing non-7bit ascii. In order to provide support for unicode strings, Passlib will encode unicode passwords using utf-8 before running them through Oracle11. This behavior may be altered in the future, if further testing reveals another behavior is more in line with the official representation.


[1]Description of Oracle10g and Oracle11g algorithms -