Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

password algorithm

2 views
Skip to first unread message

Sasha Pachev

unread,
Jul 20, 2001, 9:59:08 PM7/20/01
to
On Friday 20 July 2001 17:02, Michael Salmon wrote:
> hi folks,
> i was wondering where i can find more information on the password
> function mysql supplies. Whether it duplicates a known algorithm or uses
> its own hashing function. If it uses its own - where can I find
> data on the security of the function?

see sql/password.c in the source. It uses its own hashing function. Security
is not very good, and it is easy to crack. But a lot of code already depends
on it, including the protocol itself - so we are stuck with it. For real
security use MD5().

--
MySQL Development Team
For technical support contracts, visit https://order.mysql.com/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sasha Pachev <sa...@mysql.com>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Provo, Utah, USA
<___/

---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail internals-...@lists.mysql.com
To unsubscribe, e-mail <internals-...@lists.mysql.com>

Russell E Glaue

unread,
Jul 20, 2001, 11:27:23 PM7/20/01
to
What is the possibility of getting MySQL to authenticate with an outside
data manager? i.e. Getting MySQL to authenticate against LDAP via SSL.
This way, one can set up any encryption scheme they desire.
I would appreciate this for other administrative purposes though.
-RG

Sergei Golubchik

unread,
Jul 21, 2001, 4:41:39 AM7/21/01
to
Hi!

On Jul 20, Sasha Pachev wrote:
> On Friday 20 July 2001 17:02, Michael Salmon wrote:
> > hi folks,
> > i was wondering where i can find more information on the password
> > function mysql supplies. Whether it duplicates a known algorithm or uses
> > its own hashing function. If it uses its own - where can I find
> > data on the security of the function?
>
> see sql/password.c in the source. It uses its own hashing function. Security
> is not very good, and it is easy to crack. But a lot of code already depends
> on it, including the protocol itself - so we are stuck with it. For real
> security use MD5().

Besides Sasha's valuable comments, to get secure connection MySQL
(authentification, sniff protection, etc) use MySQL over SSL (well,
it's, probably, net ready yet - should be in 4.0, I think).
To get secure authentification in your application - use MD5.

Regards,
Sergei

--
MySQL Development Team


__ ___ ___ ____ __

/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <se...@mysql.com>


/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/

/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany

Michael Salmon

unread,
Jul 24, 2001, 1:35:14 AM7/24/01
to
Why not use a somewhat trusted and conventional hashing algorithm
such as md5? Inventing your own is dangerous. Can the algorithm be
formalized and put into a standard? If it were rfc'd I'd imagine
improvements could be made or at least it's strength checked by
cryptoanalysts.

On Fri, Jul 20, 2001 at 06:57:51PM -0600, Sasha Pachev wrote:
> On Friday 20 July 2001 17:02, Michael Salmon wrote:
> > hi folks,
> > i was wondering where i can find more information on the password
> > function mysql supplies. Whether it duplicates a known algorithm or uses
> > its own hashing function. If it uses its own - where can I find
> > data on the security of the function?
>
> see sql/password.c in the source. It uses its own hashing function. Security
> is not very good, and it is easy to crack. But a lot of code already depends
> on it, including the protocol itself - so we are stuck with it. For real
> security use MD5().
>

> --
> MySQL Development Team
> For technical support contracts, visit https://order.mysql.com/

> __ ___ ___ ____ __

> / |/ /_ __/ __/ __ \/ / Sasha Pachev <sa...@mysql.com>


> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/

> /_/ /_/\_, /___/\___\_\___/ Provo, Utah, USA

thanks,
ms

Sasha Pachev

unread,
Jul 25, 2001, 3:23:29 PM7/25/01
to
On Monday 23 July 2001 23:34, Michael Salmon wrote:
> Why not use a somewhat trusted and conventional hashing algorithm
> such as md5? Inventing your own is dangerous. Can the algorithm be
> formalized and put into a standard? If it were rfc'd I'd imagine
> improvements could be made or at least it's strength checked by
> cryptoanalysts.

md5 or some other solid algorithm is definitely an option in the future, but
not in 3.23. In any case, we have to keep the old algorithm to maintain
compatiblity with the old clients.

--
MySQL Development Team
For technical support contracts, visit https://order.mysql.com/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sasha Pachev <sa...@mysql.com>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Provo, Utah, USA

Michael Widenius

unread,
Jul 26, 2001, 4:52:47 AM7/26/01
to

Hi!

>>>>> "Michael" == Michael Salmon <m...@collab.net> writes:

Michael> Why not use a somewhat trusted and conventional hashing algorithm
Michael> such as md5? Inventing your own is dangerous. Can the algorithm be
Michael> formalized and put into a standard? If it were rfc'd I'd imagine
Michael> improvements could be made or at least it's strength checked by
Michael> cryptoanalysts.

The problem is not hashing the password; As long as no gets access
to the mysql.user table, this is not a problem.

(Even if one gets access to the mysql.user table, one can't from this
deduct the original password easily, as the current password algorithm
is lossy).

The problem in authentication is checking the password without ever
sending it over the line in either direction. For this MD5 doesn't
provide any solution.

In MySQL 4.0 we will have the option to connect to MySQL with SSL,
with will fix this problem once and for all.

Regards,
Monty

0 new messages