This hash is not secure, and should not be used for any purposes besides manipulating existing PostgreSQL password hashes.
This class implements the md5-based hash algorithm used by PostgreSQL to store it’s user account passwords. This scheme was introduced in PostgreSQL 7.2; prior to this PostgreSQL stored it’s password in plain text. Users will most likely find the frontend provided by passlib.apps to be more useful than accessing this class directly. That aside, this class can be used directly as follows:
>>> from passlib.hash import postgres_md5 >>> # encrypt password using specified username >>> hash = postgres_md5.encrypt("password", user="username") >>> hash 'md55a231fcdb710d73268c4f44283487ba2' >>> # verify correct password >>> postgres_md5.verify("password", hash, user="username") True >>> # verify correct password w/ wrong username >>> postgres_md5.verify("password", hash, user="somebody") False >>> # verify incorrect password >>> postgres_md5.verify("password", hash, user="username") False
the generic PasswordHash usage examples
This class implements the Postgres MD5 Password hash, and follows the Password Hash Interface.
It does a single round of hashing, and relies on the username as the salt.
|Parameters:||user (str) – name of postgres user account this password is associated with.|
Postgres-MD5 hashes all have the format md5checksum, where checksum is 32 hexidecimal digits, encoding a 128-bit checksum. This checksum is the MD5 message digest of the password concatenated with the username.
This algorithm it not suitable for any use besides manipulating existing PostgreSQL account passwords, due to the following flaws:
|||Discussion leading up to design of algorithm - http://archives.postgresql.org/pgsql-hackers/2001-06/msg00952.php|
|||Message explaining postgres md5 hash algorithm - http://archives.postgresql.org/pgsql-php/2003-01/msg00021.php|
|||Blog post demonstrating brute-force attack http://pentestmonkey.net/blog/cracking-postgres-hashes/.|