passlib.hash.mysql323 - MySQL 3.2.3 password hash


This algorithm is extremely weak, and should not be used for any purposes besides manipulating existing Mysql 3.2.3-4.0 password hashes.

This class implements the first of MySQL’s password hash functions, used to store its user account passwords. Introduced in MySQL 3.2.3 under the function PASSWORD(), this function was renamed to OLD_PASSWORD() under MySQL 4.1, when a newer password hash algorithm was introduced (see mysql41). Users will most likely find the frontends provided by passlib.apps to be more useful than accessing this class directly. That aside, this class can be used as follows:

>>> from passlib.hash import mysql323

>>> # encrypt password
>>> mysql323.encrypt("password")

>>> # verify correct password
>>> mysql323.verify("password", '5d2e19393cc5ef67')
>>> mysql323.verify("secret", '5d2e19393cc5ef67')

See also


class passlib.hash.mysql323

This class implements the MySQL 3.2.3 password hash, and follows the Password Hash Interface.

It has no salt and a single fixed round.

The encrypt() and genconfig() methods accept no optional keywords.

Format & Algorithm

A mysql-323 password hash consists of 16 hexadecimal digits, directly encoding the 64 bit checksum. MySQL always uses lower-case letters, and so does Passlib (though Passlib will recognize upper case letters as well).

The algorithm used is extremely simplistic, for details, see the source implementation in the footnotes [1].

Security Issues

Lacking any sort of salt, ignoring all whitespace, and having a simplistic algorithm that amounts to little more than a checksum, this is not secure, and should not be used for any purpose but verifying existing MySQL 3.2.3 - 4.0 password hashes.


[1]Source of implementation used by Passlib -
[2]Mysql document describing transition -