List:Internals« Previous MessageNext Message »
From:Sergei Golubchik Date:May 27 2011 4:06pm
Subject:Re: Why SHA256+salt authentication ?
View as plain text  
Hi, Mats!

On May 27, Mats Kindahl wrote:
> >>> Or you just like it salted?
> >> Yes. It is suppose to make it more difficult to construct MySQL
> >> specific rainbow tables.
> > Agree.
> > We even tried to use salted hashes once, but had to revert it.
> 
> Just curios: why did you have to revert it?

It was introduced in 4.1.0 (as the first implementation of the "new
auth protocol"). And PASSWORD(string) returned a salted hash.

The problem was that PASSWORD() became non-deterministic - if you'd
repeat, say, SELECT PASSWORD("foobar"), you'd see different results.

And we found that an awful lot of users happened to use something like

  SELECT user, blabla, whatever FROM a_table WHERE pwd = PASSWORD($pass)

We tried educating them and so on, because, strictly speaking,
PASSWORD() should *only* be used for MySQL password hashes, and never
for hashing application level passwords. But it was hopeless
(--old-passwords option was not enough) and in 4.1.1 we've changed to a
salt-less hashes.

Perhaps Oracle will be better at user education (I doubt it), or better
at ignoring users' complains (which sounds quite possible) or just
lucky. Anyway - try it again, and good luck. Now you know the problem to
solve.

Regards,
Sergei

P.S. Disclaimer: the above is my recollection of the events that
happened in the middle of 2003, others may remember differently.

Thread
Why SHA256+salt authentication ?Sergei Golubchik27 May
  • Re: Why SHA256+salt authentication ?Kristofer Pettersson27 May
    • Re: Why SHA256+salt authentication ?Sergei Golubchik27 May
      • Re: Why SHA256+salt authentication ?Mats Kindahl27 May
        • Re: Why SHA256+salt authentication ?Sergei Golubchik27 May