List:General Discussion« Previous MessageNext Message »
From:Michael Widenius Date:March 23 1999 3:30am
Subject:Re: user database question
View as plain text  
>>>>> "Ed" == Ed Carp <erc@stripped> writes:

>> Why does mysql use the same salt everytime it encrypts
>> a user password inserted into the user database with
>> the GRANT... command?
>> 
>> (at least it seems to do so -- 2 users with the same
>> password gets the same password entry in the
>> "user" datasbase)


Ed> It doesn't.  In fact, it doesn't use the crypt() function at all - it uses a
Ed> variant of XOR, which is trivial to break.

Hi!

MySQL doesn't use XOR and it's not THAT trivial to break.
(The main reason that it's hard to break is that it's one-way;  There
is many passwords that can generate the same password string (as there 
is only 2^62 different possible passwords).

Anyhow, as normal users shouldn't be allowed to access the mysql.user
table and as not even the crypted password is transmitted over the
line when connection this isn't that fatal.

For true, more than industry strength security, one should use ssh.

Regards,
Monty



Thread
user database questionMagnus Stenman22 Mar
  • Re: MySQL 3.23.31 configure fails with Berkeley DB 3.2.3hThimble Smith19 Jan
  • Re: MySQL 3.23.31 configure fails with Berkeley DB 3.2.3hGreg Cope19 Jan
Re: user database questionEd Carp22 Mar
  • Re: user database questionMichael Widenius23 Mar
RE: MySQL 3.23.31 configure fails with Berkeley DB 3.2.3hIrena Ivanisevic19 Jan
  • RE: MySQL 3.23.31 configure fails with Berkeley DB 3.2.3hSinisa Milivojevic19 Jan