List:Internals« Previous MessageNext Message »
From:Michael Widenius Date:July 25 2001 1:44pm
Subject:Re: password algorithm
View as plain text  
Hi!

>>>>> "Michael" == Michael Salmon <ms@stripped> writes:

Michael> Why not use a somewhat trusted and conventional hashing algorithm 
Michael> such as md5? Inventing your own is dangerous. Can the algorithm be
Michael> formalized and put into a standard? If it were rfc'd I'd imagine
Michael> improvements could be made or at least it's strength checked by
Michael> cryptoanalysts.
 
The problem is not hashing the password;  As long as no gets access
to the mysql.user table, this is not a problem.

(Even if one gets access to the mysql.user table, one can't from this
deduct the original password easily, as the current password algorithm
is lossy).

The problem in authentication is checking the password without ever
sending it over the line in either direction.  For this MD5 doesn't
provide any solution.

In MySQL 4.0 we will have the option to connect to MySQL with SSL,
with will fix this problem once and for all.

Regards,
Monty


Thread
password algorithmMichael Salmon21 Jul
  • Re: password algorithmSasha Pachev21 Jul
    • Re: password algorithmRussell E Glaue21 Jul
    • Re: password algorithmSergei Golubchik21 Jul
    • Re: password algorithmMichael Salmon24 Jul
      • Re: password algorithmSasha Pachev25 Jul
      • Re: password algorithmMichael Widenius26 Jul