Python modules you should know: Passlib

April 23, 2012 at 07:50 AM | categories: Python, PyMYSK, Howto | View Comments

Working with passwords is central to programming multi user applications, next in my on going series Python modules you should know is Passlib, a package that makes it easy for you to work with various password hashing schemes in Python.

Home page

Use

Passlib is a password hashing library for Python 2 & 3, which provides cross-platform implementations of over 20 password hashing algorithms, as well as a framework for managing existing password hashes.

It's designed to be useful for any task from quickly verifying a hash found in a unix system's /etc/shadow file, to providing full-strength password hashing for multi-user application.

This package is truly fully featured, it supports all kinds of hashing schemes from old unix scheme, NT, newer more secure schemes such as bcrypt and application specific schemes like Apache htpasswd, MySQL, PostgreSQL, LDAP, PHPass etc.

Usage

I can not do this package justice in one post, so i will show a few application examples, for the more detailed usage please refer to the documentation. If a password hashing function is what you are looking for, I am sure this package has got it.

Generating LDAP password Hashes

I will start will LDAP hashes as i have recently been working a lot with LDAP in python. The package can generate all the hashes defined by RFC 2307 and supported by OpenLDAP, as well as several non standard hashing schemes. Of the standard hashing schemes the salted SHA1 {SSHA} format is considered the strongest so i will show how to generate a hash in this format.

from passlib.apps import ldap_context
ldap_context.encrypt("password")

Output:

'{SSHA}clorfUeCqGPKyUighzWaQK1oDyBOKUXI'

Generating Database password hashes for MySQL, PostgreSQL, Oracle

The package can create hashes for MySQL in the 3.x and 41 format, PostgreSQL's MD5 format, and Oracle 10g and 11g formats.

Mysql 3.x

from passlib.hash import mysql323
mysql323.encrypt("password")

Output:

'5d2e19393cc5ef67'

Mysql 41

from passlib.hash import mysql41
mysql41.encrypt("password")

Output:

'*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19'

PostgreSQL MD5

from passlib.hash import postgres_md5
postgres_md5.encrypt("password", "username")

Output:

'md55a231fcdb710d73268c4f44283487ba2'

Oracle 10g

from passlib.hash import oracle10
oracle10.encrypt("password", "username")

Output:

'872805F3F4C83365'

Oracle 11g

from passlib.hash import oracle11
oracle11.encrypt("password")

Output:

'S:DDF711249A867220801E9D8F535E52635AD57C631BC08D32DB955F34D11E'

Generating Apache htpasswd hashes

The package is able to create Apache htpasswd hashes, you can use actual files or do it in memory. The example below creates the file in memory.

from passlib.apache import HtpasswdFile
htpasswd = HtpasswdFile()
htpasswd.update("username", "password")
print htpasswd.to_string()

Output:

username:$apr1$6vAEkwBz$90u21dy/x2Te3SzVAYYZJ/

Generating Django password hashes

The package can generate passwords using all the hashes provided by Django. It defaults to using the salted SHA1 digest.

from passlib.apps import django_context
django_context.encrypt("password")

Output:

'sha1$f08a1$c81f0fd5aa6e7e14e22bcdfece31d4dc696cddf3'

Generating PHPass hashes

PHPass is used by many popular PHP applications such as wordpress, drupal and phpbb. The package supports working with PHPass hashes.

from passlib.apps import phpass_context
phpass_context.encrypt("password")

Output:

'$2a$10$DT0qJBBrQfOC.RN8/Kde9OhYmavVkPh5ioObLnDArJRI6g5FZHlxa'

PHPBB uses a variant.

from passlib.apps import phpbb3_context
phpbb3_context.encrypt("password")

Output:

'$H$879lNdddwBtDAz86P04doHH9ko63UI.'

And there is more

I have only showed how to generate hashes, the package allows you to verify, identify etc, there is not enough space in one post to cover all that.

I have not touched on a lot of what can be done with the package, Please read the package documentation for more. If its password hashing you need, this surely is the library for you.


blog comments powered by Disqus