{ "id": "02f7a582-8f00-4501-841c-9426822f5638", "created_at": "2026-04-06T00:22:02.735329Z", "updated_at": "2026-04-10T13:12:38.486731Z", "deleted_at": null, "sha1_hash": "989512ae50e996e683fab6ed7a71a0513046dd18", "title": "Windows’ Domain Cached Credentials v2 — Passlib v1.7.4 Documentation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43540, "plain_text": "Windows’ Domain Cached Credentials v2 — Passlib v1.7.4\r\nDocumentation\r\nArchived: 2026-04-05 23:48:05 UTC\r\nNew in version 1.6.\r\nThis class implements the DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer\r\nto cache and verify remote credentials when the relevant server is unavailable. It is known by a number of other\r\nnames, including “mscache2” and “mscash2” (Microsoft CAched haSH). It replaces the weaker msdcc v1 hash\r\nused by previous releases of Windows. Security wise it is not particularly weak, but due to its use of the username\r\nas a salt, it should probably not be used for anything but verifying existing cached credentials. This class can be\r\nused directly as follows:\r\n\u003e\u003e\u003e from passlib.hash import msdcc2\r\n\u003e\u003e\u003e # hash password using specified username\r\n\u003e\u003e\u003e hash = msdcc2.hash(\"password\", user=\"Administrator\")\r\n\u003e\u003e\u003e hash\r\n'4c253e4b65c007a8cd683ea57bc43c76'\r\n\u003e\u003e\u003e # verify correct password\r\n\u003e\u003e\u003e msdcc2.verify(\"password\", hash, user=\"Administrator\")\r\nTrue\r\n\u003e\u003e\u003e # verify correct password w/ wrong username\r\n\u003e\u003e\u003e msdcc2.verify(\"password\", hash, user=\"User\")\r\nFalse\r\n\u003e\u003e\u003e # verify incorrect password\r\n\u003e\u003e\u003e msdcc2.verify(\"letmein\", hash, user=\"Administrator\")\r\nFalse\r\nSee also\r\npassword hash usage – for more usage examples\r\nmsdcc – the predecessor to this hash\r\nSecurity Issues¶\r\nThis hash is essentially msdcc v1 with a fixed-round PBKDF2 function wrapped around it. The number of rounds\r\nof PBKDF2 is currently sufficient to make this a semi-reasonable way to store passwords, but the use of the\r\nlowercase username as a salt, and the fact that the rounds can’t be increased, means this hash is not particularly\r\nfuture-proof, and should not be used for new applications.\r\nhttps://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html\r\nPage 1 of 2\n\nDeviations¶\r\nMax Password Size\r\nWindows appears to enforce a maximum password size, but the actual value of this limit is unclear; sources\r\nreport it to be set at assorted values from 26 to 128 characters, and it may in fact vary between Windows\r\nreleases. The one consistent piece of information is that passwords above the limit are simply not allowed\r\n(rather than truncated ala des_crypt ). Because of this, Passlib does not currently enforce a size limit: any\r\nhashes this class generates should be correct, provided Windows is willing to accept a password of that\r\nsize.\r\nFootnotes\r\n[1] Description of DCC v2 algorithm - http://openwall.info/wiki/john/MSCash2\r\nSource: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html\r\nhttps://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html" ], "report_names": [ "passlib.hash.msdcc2.html" ], "threat_actors": [], "ts_created_at": 1775434922, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/989512ae50e996e683fab6ed7a71a0513046dd18.pdf", "text": "https://archive.orkl.eu/989512ae50e996e683fab6ed7a71a0513046dd18.txt", "img": "https://archive.orkl.eu/989512ae50e996e683fab6ed7a71a0513046dd18.jpg" } }