Hi, Mats!
On May 27, Mats Kindahl wrote:
> >>> Or you just like it salted?
> >> Yes. It is suppose to make it more difficult to construct MySQL
> >> specific rainbow tables.
> > Agree.
> > We even tried to use salted hashes once, but had to revert it.
>
> Just curios: why did you have to revert it?
It was introduced in 4.1.0 (as the first implementation of the "new
auth protocol"). And PASSWORD(string) returned a salted hash.
The problem was that PASSWORD() became non-deterministic - if you'd
repeat, say, SELECT PASSWORD("foobar"), you'd see different results.
And we found that an awful lot of users happened to use something like
SELECT user, blabla, whatever FROM a_table WHERE pwd = PASSWORD($pass)
We tried educating them and so on, because, strictly speaking,
PASSWORD() should *only* be used for MySQL password hashes, and never
for hashing application level passwords. But it was hopeless
(--old-passwords option was not enough) and in 4.1.1 we've changed to a
salt-less hashes.
Perhaps Oracle will be better at user education (I doubt it), or better
at ignoring users' complains (which sounds quite possible) or just
lucky. Anyway - try it again, and good luck. Now you know the problem to
solve.
Regards,
Sergei
P.S. Disclaimer: the above is my recollection of the events that
happened in the middle of 2003, others may remember differently.
