This hash is not secure, and should not be used for any purposes besides manipulating existing Oracle 10 password hashes.
This class implements the hash algorithm used by the Oracle Database up to version 10g Rel.2. It was superceded by a newer algorithm in Oracle 11. This class can be used directly as follows (note that this class requires a username for all encrypt/verify operations):
>>> from passlib.hash import oracle10 as oracle10 >>> # encrypt password using specified username >>> hash = oracle10.encrypt("password", user="username") >>> hash '872805F3F4C83365' >>> # verify correct password >>> oracle10.verify("password", hash, user="username") True >>> # verify correct password w/ wrong username >>> oracle10.verify("password", hash, user="somebody") False >>> # verify incorrect password >>> oracle10.verify("letmein", hash, user="username") False
the generic PasswordHash usage examples
This implementation has not been compared very carefully against the official implementation or reference documentation, and it’s behavior may not match under various border cases. caveat emptor.
This class implements the password hash used by Oracle up to version 10g, and follows the Password Hash Interface.
It does a single round of hashing, and relies on the username as the salt.
|Parameters:||user (str) – name of oracle user account this password is associated with.|
Oracle10 hashes all consist of a series of 16 hexidecimal digits, representing the resulting checksum. Oracle10 hashes can be formed by the following procedure:
This algorithm it not suitable for any use besides manipulating existing Oracle10 account passwords, due to the following flaws :
Passlib’s implementation of the Oracle10g hash may deviate from the official implementation in unknown ways, as there is no official documentation. There is only one known issue:
Lack of testing (and test vectors) leaves it unclear as to how Oracle 10g handles passwords containing non-7bit ascii. In order to provide support for unicode strings, Passlib will encode unicode passwords using utf-16-be  before running them through the Oracle10g algorithm. This behavior may be altered in the future, if further testing reveals another behavior is more in line with the official representation. This note applies as well to any provided username, as they are run through the same policy.
|||(1, 2) The exact encoding used in step 3 of the algorithm is not clear from known references. Passlib uses utf-16-be, as this is both compatible with existing test vectors, and supports unicode input.|
|||Whitepaper analyzing flaws in this algorithm - http://www.isg.rhul.ac.uk/~ccid/publications/oracle_passwd.pdf.|
|||Description of Oracle10g and Oracle11g algorithms - http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/.|