[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mysql-internals
Subject:    Re: password algorithm
From:       Michael Widenius <monty () mysql ! com>
Date:       2001-07-25 13:44:36
[Download RAW message or body]


Hi!

>>>>> "Michael" == Michael Salmon <ms@collab.net> writes:

Michael> Why not use a somewhat trusted and conventional hashing algorithm 
Michael> such as md5? Inventing your own is dangerous. Can the algorithm be
Michael> formalized and put into a standard? If it were rfc'd I'd imagine
Michael> improvements could be made or at least it's strength checked by
Michael> cryptoanalysts.
 
The problem is not hashing the password;  As long as no gets access
to the mysql.user table, this is not a problem.

(Even if one gets access to the mysql.user table, one can't from this
deduct the original password easily, as the current password algorithm
is lossy).

The problem in authentication is checking the password without ever
sending it over the line in either direction.  For this MD5 doesn't
provide any solution.

In MySQL 4.0 we will have the option to connect to MySQL with SSL,
with will fix this problem once and for all.

Regards,
Monty



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail internals-thread1320@lists.mysql.com
To unsubscribe, e-mail <internals-unsubscribe@lists.mysql.com>

[prev in list] [next in list] [prev in thread] [next in thread]