From:Mike Moran Date:December 15 2004 4:14pm
Subject:Re: Definition of password hashing algorithm in 4.1.7
Mark Matthews wrote:

[ ... ]
> Mike Moran wrote:
>>I've been looking into what algorithm MySQL 4.1.7 uses for password 
>>hashing/encryption, with a view to ascertaining how secure it is. Does 
>>it conform to any combinations of published Specs e.g. MD5/SHA-1/etc?
[ ... ]
> Mike,
> MySQL-4.1.7 uses SHA-1. The code you're looking at is for MySQL-4.0 and
> older. See MysqlIO.secureAuth411(), which also happens to have the
> entire algorithm in a comment block ;)

Ta for that (and also the SciBit person). I think I understand what is 
going on here, going by the doc comment you mention. However, I'm unsure 
why the password is being hashed twice i.e. why is hash_stage2 needed? I 
suppose it doesn't hurt, but I'm just curious. Also, I take it from this 
that the authentication algorithm/protocol used is MySQL-specific?

Incidentally, I notice Security#scramble411() uses getBytes() without 
specifying a character set. As far as I understand it, because 
getBytes() uses the default platform character set, this will give a 
different scramble value on different Java platforms when you use 
characters outside the small range which is encoded the same in multiple 
  character sets e.g. if you use a non-ASCII password. I haven't 
double-checked this; I just noticed it in passing.

