>>>>> "Michael" == Michael Salmon <ms@stripped> writes:
Michael> Why not use a somewhat trusted and conventional hashing algorithm
Michael> such as md5? Inventing your own is dangerous. Can the algorithm be
Michael> formalized and put into a standard? If it were rfc'd I'd imagine
Michael> improvements could be made or at least it's strength checked by
The problem is not hashing the password; As long as no gets access
to the mysql.user table, this is not a problem.
(Even if one gets access to the mysql.user table, one can't from this
deduct the original password easily, as the current password algorithm
The problem in authentication is checking the password without ever
sending it over the line in either direction. For this MD5 doesn't
provide any solution.
In MySQL 4.0 we will have the option to connect to MySQL with SSL,
with will fix this problem once and for all.