passlib.hash.mysql41 - MySQL 4.1 password hash

Warning

This algorithm is extremely weak, and should not be used for any purposes besides manipulating existing Mysql 4.1+ password hashes.

This class implements the second of MySQL’s password hash functions, used to store it’s user account passwords. Introduced in MySQL 4.1.1 under the function PASSWORD(), it replaced the previous algorithm (mysql323) as the default used by MySQL, and is still in active use under MySQL 5. Users will most likely find the frontends provided by passlib.apps to be more useful than accessing this class directly.

See also

• password hash usage – for examples of how to use this class via the common hash interface.
• passlib.apps for a list of premade mysql contexts.

Interface

class passlib.hash.mysql41

This class implements the MySQL 4.1 password hash, and follows the Password Hash Interface.

It has no salt and a single fixed round.

The encrypt() and genconfig() methods accept no optional keywords.

Format & Algorithm

A mysql-41 password hash consists of an asterisk * followed by 40 hexidecimal digits, directly encoding the 160 bit checksum. An example hash (of password) is *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19. MySQL always uses upper-case letters, and so does Passlib (though Passlib will recognize lower-case letters as well).

The checksum is calculated simply, as the SHA1 hash of the SHA1 hash of the password, which is then encoded into hexidecimal.

Security Issues

Lacking any sort of salt, and using only 2 rounds of the common SHA1 message digest, it’s not very secure, and should not be used for any purpose but verifying existing MySQL 4.1+ password hashes.