If I remember correctly from a former security discussion, the server
sends a challange to the client (i.e. a random string) which gets
encrypted with the password as seed. The encrypted string is sent back
and verified by the server by proceeding the same procedure (as said,
the server can easily decrypt the locally stored password string).
So, no, the plain password is should never been sent around.
PS: removed 'announce' from CC, because this isn't an announce anymore.
On Fri, Aug 25, 2000 at 08:34:09AM +0800, rhopkins@stripped wrote:
> > Michael Widenius wrote:
> > >
> > > The encrypted password is the real password in MySQL; The password is
> > > only encrypted to not let one guess your real password;
> > Does this mean that when connecting to MySQL using perl (or even the
> > MySQL client) over a network, the following occurs?
> > DBD::mysql first encrypts the password.
> > It then sends the encrypted password to the MySQL server.
> > The MySQL server compares it to the stored encrypted password.
> > If they match, let the user in.
> > If so, couldn't someone sniff the packets and get the encrypted password
> > anyway?
> I would have thought that the password would get sent to the mysql server
> before being encrypted for comparison!!!