New in version 1.6.
This hash is not secure, and should not be used for any purposes besides manipulating existing Cisco PIX password hashes.
This class implements the password hash algorithm commonly found on Cisco PIX firewalls. This class can be used directly as follows:
>>> from passlib.hash import cisco_pix as pix >>> # encrypt password using specified username >>> hash = pix.encrypt("password", user="user") >>> hash 'A5XOy94YKDPXCo7U' >>> # verify correct password >>> pix.verify("password", hash, user="user") True >>> # verify correct password w/ wrong username >>> pm.verify("password", hash, user="other") False >>> # verify incorrect password >>> pm.verify("letmein", hash, user="user") False >>> # encrypt password without associate user account >>> hash2 = pix.encrypt("password") >>> hash2 'NuLKvvWGg.x9HEKO' >>> # verify password without associated user account >>> pix.verify("password", hash2) True
the generic PasswordHash usage examples
This class implements the password hash used by Cisco PIX firewalls, and follows the Password Hash Interface. It does a single round of hashing, and relies on the username as the salt.
|Parameters:||user (str) –
String containing name of user account this password is associated with.
This is required in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash.
Conversely, this must be omitted or set to "" in order to correctly hash passwords which don’t have an associated user account (such as the “enable” password).
This hash algorithm has a context-sensitive percularity. It takes in an optional username, used to salt the hash, but with specific restrictions...
Cisco PIX hashes consist of a 12 byte digest, encoded as a 16 character HASH64-encoded string. An example hash (of "password") is "NuLKvvWGg.x9HEKO".
The digest is calculated as follows:
This algorithm is not suitable for any use besides manipulating existing Cisco PIX hashes, due to the following flaws:
This implementation differs from the standard in one main way:
The official Cisco PIX algorithm is primarily used with ascii passwords, how it handles other characters is not known.
In order to provide support for unicode strings, Passlib will encode unicode passwords using utf-8 before running them through this algorithm. If a different encoding is desired by an application, the password should be encoded before handing it to Passlib.
While this implementation agrees with all known references, the actual algorithm has not been published by Cisco, so there may be other unknown deviations.
|||Description of PIX algorithm - http://www.perlmonks.org/index.pl?node_id=797623|
|||Message threads hinting at how username is handled - http://www.openwall.com/lists/john-users/2010/02/02/7, www.freerainbowtables.com/phpBB3/viewtopic.php?f=2&t=1441|