>>>>> "Ed" == Ed Carp <erc@stripped> writes:
>> Why does mysql use the same salt everytime it encrypts
>> a user password inserted into the user database with
>> the GRANT... command?
>> (at least it seems to do so -- 2 users with the same
>> password gets the same password entry in the
>> "user" datasbase)
Ed> It doesn't. In fact, it doesn't use the crypt() function at all - it uses a
Ed> variant of XOR, which is trivial to break.
MySQL doesn't use XOR and it's not THAT trivial to break.
(The main reason that it's hard to break is that it's one-way; There
is many passwords that can generate the same password string (as there
is only 2^62 different possible passwords).
Anyhow, as normal users shouldn't be allowed to access the mysql.user
table and as not even the crypted password is transmitted over the
line when connection this isn't that fatal.
For true, more than industry strength security, one should use ssh.