Using a single round of any cryptographic hash (especially without a salt) is so insecure that it’s barely better than plaintext. Do not use these schemes in new applications.
Some existing applications store passwords by storing them using hexidecimal-encoded message digests, such as MD5 or SHA1. Such schemes are extremely vulnerable to pre-computed brute-force attacks, and should not be used in new applications. However, for the sake of backwards compatibility when converting existing applications, Passlib provides wrappers for few of the common hashes. These classes all wrap the underlying hashlib implementations, and can be used directly as follows:
>>> from passlib.hash import hex_sha1 as hex_sha1 >>> # encrypt password >>> h = hex_sha1.encrypt("password") >>> h '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8' >>> # verify correct password >>> hex_sha1.verify("password", h) True >>> # verify incorrect password >>> hex_sha1.verify("secret", h) False
the generic PasswordHash usage examples
Each of these classes implements a plain hexidecimal encoded message digest, using the relevant digest function from hashlib, and following the Password Hash Interface.
They support no settings or other keywords.
Oracle VirtualBox’s VBoxManager internalcommands passwordhash command uses hex_sha256.
All of these classes just report the result of the specified digest, encoded as a series of lowercase hexidecimal characters; though upper case is accepted as input.