passlib.hash.mssql2005
- MS SQL 2005 password hash¶
Danger
This algorithm is not considered secure by modern standards. It should only be used when verifying existing hashes, or when interacting with applications that require this format. For new code, see the list of recommended hashes.
New in version 1.6.
This class implements the hash algorithm used by Microsoft SQL Server 2005
to store its user account passwords, replacing the slightly less secure
mssql2000
variant.
This class can be used directly as follows:
>>> from passlib.hash import mssql2005 as m25
>>> # hash password
>>> h = m25.hash("password")
>>> h
'0x01006ACDF9FF5D2E211B392EEF1175EFFE13B3A368CE2F94038B'
>>> # verify password
>>> m25.verify("password", h)
True
>>> m25.verify("letmein", h)
False
See also
- password hash usage – for more usage examples
- mssql2000 – the predecessor to this hash.
Interface¶
-
class
passlib.hash.
mssql2005
¶ This class implements the password hash used by MS-SQL 2005, and follows the PasswordHash API.
It supports a fixed-length salt.
The
using()
method accepts the following optional keywords:Parameters: - salt (bytes) – Optional salt string. If not specified, one will be autogenerated (this is recommended). If specified, it must be 4 bytes in length.
- relaxed (bool) – By default, providing an invalid value for one of the other
keywords will result in a
ValueError
. Ifrelaxed=True
, and the error can be corrected, aPasslibHashWarning
will be issued instead. Correctable errors includesalt
strings that are too long.
Format & Algorithm¶
Security Issues¶
This algorithm is reasonably weak, and shouldn’t be used for any purpose besides manipulating existing MSSQL 2005 hashes. This mainly due to its simplicity, and years of research on high-speed SHA1 implementations, which makes efficient brute force attacks feasible.
Footnotes
[1] | Overview hash algorithms used by MSSQL - https://blogs.msdn.com/b/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx?Redirected=true. |
[2] | Description of MSSQL 2000/2005 algorithm - http://www.theregister.co.uk/2002/07/08/cracking_ms_sql_server_passwords/. |