Menu
▾
▴
[Pam-mysql-general] don't use MySQL password()
|
From: Bernhard K. <da...@gm...> - 2003-12-04 23:37:49
|
Hi pam-mysql-general! From http://www.mysql.com/documentation/mysql/bychapter/manual_MySQL_Database_Administration.html#Password_hashing ------------------------------------------------------------------- 4.3.12 Implications of Password Hashing Changes for Application Programs An upgrade to MySQL 4.1 can cause a compatibility issue for applications that use PASSWORD() to generate passwords for their own purposes. (Applications really should not do this, because PASSWORD() should be used only to manage passwords for MySQL accounts. But some applications use PASSWORD() for their own purposes anyway.) If you upgrade to 4.1 and run the server under conditions where it generates long password hashes, an application that uses PASSWORD() for its own passwords will break. The recommended course of action is to modify the application to use another function such as SHA1() or MD5() to produce hashed values. If that is not possible, you can use the OLD_PASSWORD() function, which is provided to generate short hashes in the old format. (But note that OLD_PASSWORD() may one day no longer be supported.) ------------------------------------------------------------------- So please advise your users (in the README) not to use the MySQL password() function. I'm going to use crypt for now, but I would appreciate a hash that supports passwords longer than 8 characters. AFAIK crypt uses DES which is considered insecure against brute force attacks due to the short 56 (IIRC) bit key length. That may not be an issue here, as the crypted passwords should not be available to attackers. Still I'd like to have md5 (which has a small hash collision vulnerability) or sha (which is of doubtful security as it was developed by the NSA) or anything better (but actually I prefer something built into MySQL as it eases the insertion of test data). Please CC replies to me. Thank you, Bernhard -- Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at Linux Admin/Programmierer: http://bksys.at/bernhard/services.html |
