New in version 1.6.
This hash is not very secure, and should not be used for any purposes besides manipulating existing MSSQL 2000 password hashes.
This class implements the hash algorithm used by Microsoft SQL Server 2000 to store it’s user account passwords, until it was replaced by a slightly more secure variant (mssql2005) in MSSQL 2005. This class can be used directly as follows:
>>> from passlib.hash import mssql2000 as m20 >>> # encrypt password >>> h = m20.encrypt("password") >>> h '0x0100200420C4988140FD3920894C3EDC188E94F428D57DAD5905F6CC1CBAF950CAD4C63F272B2C91E4DEEB5E6444' >>> # verify correct password >>> m20.verify("password", h) True >>> m20.verify("letmein", h) False
This class implements the password hash used by MS-SQL 2000, and follows the Password Hash Interface.
It supports a fixed-length salt.
MSSQL 2000 hashes are usually presented as a series of 92 upper-case hexidecimal characters, prefixed by 0x. An example MSSQL 2000 hash (of "password"):
This encodes 46 bytes of raw data, consisting of:
The first digest is generated by encoding the unicode password using UTF-16-LE, and calculating SHA1(encoded_secret + salt).
The second digest is generated the same as the first, except that the password is converted to upper-case first.
Only the second digest is used when verifying passwords (and hence the hash is case-insensitive). The first digest is presumably for forward-compatibility: MSSQL 2005 removed the second digest, and thus became case sensitive.
MSSQL 2000 hashes do not actually have a native textual format, as they are stored as raw bytes in an SQL table. However, when external programs deal with them, MSSQL generally encodes raw bytes as upper-case hexidecimal, prefixed with 0x. This is the representation Passlib uses.
This algorithm is reasonably weak, and shouldn’t be used for any purpose besides manipulating existing MSSQL 2000 hashes, due to the following flaws:
|||Overview hash algorithms used by MSSQL - https://blogs.msdn.com/b/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx?Redirected=true.|
|||Description of MSSQL 2000 algorithm - http://www.theregister.co.uk/2002/07/08/cracking_ms_sql_server_passwords/.|