PASSWORD broken in latest 4.1?

PASSWORD broken in latest 4.1?

am 08.12.2002 12:51:06 von Georg Richter

Hello,

looks like PASSWORD-function is broken (latest public 4.1 bk-version)

how-to-repeat:

mysql> \s
--------------
mysql Ver 13.0 Distrib 4.1.0-alpha, for pc-linux (i686)

Connection id: 4
Current database: test
Current user: test@localhost
SSL: Not in use
Current pager: less
Using outfile: ''
Server version: 4.1.0-alpha-log
Protocol version: 10
Connection: Localhost via UNIX socket
Client characterset: latin1
Server characterset: latin1
UNIX socket: /tmp/mysql.sock
Uptime: 2 min 21 sec

Threads: 1 Questions: 28 Slow queries: 0 Opens: 14 Flush tables: 1 Open
tables: 8 Queries per second avg: 0.199
--------------

mysql> select password('test');
+-----------------------------------------------+
| password('test') |
+-----------------------------------------------+
| *67135e49566ab865d91c00b82074d11715fe852a05ba |
+-----------------------------------------------+
1 row in set (0.00 sec)

mysql> select password('test');
+-----------------------------------------------+
| password('test') |
+-----------------------------------------------+
| *9cbfbda6d76e5d23ba74931a800ea4a4ac8a66619eec |
+-----------------------------------------------+
1 row in set (0.00 sec)

mysql>

------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13241@lists.mysql.com
To unsubscribe, e-mail

Re: PASSWORD broken in latest 4.1?

am 08.12.2002 13:41:30 von Georg Richter

On Sunday 08 December 2002 14:05, Peter Zaitsev wrote:

Hello Peter,

>
> Passwords are just got longer nowdays and they have salted form with random
> salt, so they return different result for the same string.

Hmm... but how can I store passwords? Is there a new field-type for them?

this fails (of course):

mysql> create table t_33 (foo char(10), pw char(45));
Query OK, 0 rows affected (0.00 sec)

mysql> insert into t_33 values ("bar", password('mypw'));
Query OK, 1 row affected (0.01 sec)

mysql> select foo from t_33 where pw=password('mypw');
Empty set (0.00 sec)


Regards

Georg

filter: how-to-repeat

------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13243@lists.mysql.com
To unsubscribe, e-mail

Re: PASSWORD broken in latest 4.1?

am 08.12.2002 14:05:58 von Peter Zaitsev

On Sunday 08 December 2002 14:51, Georg Richter wrote:
> Hello,
>
> looks like PASSWORD-function is broken (latest public 4.1 bk-version)


No. It is not broken.

Passwords are just got longer nowdays and they have salted form with random
salt, so they return different result for the same string.

I expect it might does not work for you well if you did not run
fix_priv_tables script - old tables had just 16 bytes to store password.



P.S Docs are still to be updated :)

>
> how-to-repeat:
>
> mysql> \s
> --------------
> mysql Ver 13.0 Distrib 4.1.0-alpha, for pc-linux (i686)
>
> Connection id: 4
> Current database: test
> Current user: test@localhost
> SSL: Not in use
> Current pager: less
> Using outfile: ''
> Server version: 4.1.0-alpha-log
> Protocol version: 10
> Connection: Localhost via UNIX socket
> Client characterset: latin1
> Server characterset: latin1
> UNIX socket: /tmp/mysql.sock
> Uptime: 2 min 21 sec
>
> Threads: 1 Questions: 28 Slow queries: 0 Opens: 14 Flush tables: 1 Open
> tables: 8 Queries per second avg: 0.199
> --------------
>
> mysql> select password('test');
> +-----------------------------------------------+
> | password('test') |
> +-----------------------------------------------+
> | *67135e49566ab865d91c00b82074d11715fe852a05ba |
> +-----------------------------------------------+
> 1 row in set (0.00 sec)
>
> mysql> select password('test');
> +-----------------------------------------------+
> | password('test') |
> +-----------------------------------------------+
> | *9cbfbda6d76e5d23ba74931a800ea4a4ac8a66619eec |
> +-----------------------------------------------+
> 1 row in set (0.00 sec)
>
> mysql>
>
> ------------------------------------------------------------ ---------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail bugs-thread13241@lists.mysql.com
> To unsubscribe, e-mail
>

--
MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13242@lists.mysql.com
To unsubscribe, e-mail

Re: PASSWORD broken in latest 4.1?

am 08.12.2002 14:36:57 von Georg Richter

On Sunday 08 December 2002 15:08, Peter Zaitsev wrote:

Hello Peter,

> If you need old hash badly there is function OLD_PASSWORD() added which
> provides old hashing.

This will certainly break tons of application/scripts, cause too many users
usually store their passwords with the password function (see samples in
books, tutorials etc.). How about to have a NEW_PASSWORD() function or
PASSWORD2()-Function which don't breaks BC?

Regards

Georg

------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13245@lists.mysql.com
To unsubscribe, e-mail

Re: PASSWORD broken in latest 4.1?

am 08.12.2002 15:08:33 von Peter Zaitsev

On Sunday 08 December 2002 15:41, Georg Richter wrote:
> On Sunday 08 December 2002 14:05, Peter Zaitsev wrote:
>
> Hello Peter,
>
> >
> > Passwords are just got longer nowdays and they have salted form with
random
> > salt, so they return different result for the same string.
>
> Hmm... but how can I store passwords? Is there a new field-type for them?

No. Basically password("") is a function to get MySQL's password hash which
you can use to assign new password value for the user. You can still use
password function this way.

If you need to have scrambled password in the application it is better to use
standard encryption functions such as MD5() or SHA1()

They can be used the way you would like.

If you need old hash badly there is function OLD_PASSWORD() added which
provides old hashing.

Please note however, hashing used by old password() function is not such
cryptographically proved stong as SHA1 or MD5

New password hash is SHA1 based with salt.


--
MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13244@lists.mysql.com
To unsubscribe, e-mail

Re: PASSWORD broken in latest 4.1?

am 08.12.2002 19:34:08 von Peter Zaitsev

On Sunday 08 December 2002 16:36, Georg Richter wrote:
> On Sunday 08 December 2002 15:08, Peter Zaitsev wrote:
>
> Hello Peter,
>
> > If you need old hash badly there is function OLD_PASSWORD() added which
> > provides old hashing.
>
> This will certainly break tons of application/scripts, cause too many users
> usually store their passwords with the password function (see samples in
> books, tutorials etc.). How about to have a NEW_PASSWORD() function or
> PASSWORD2()-Function which don't breaks BC?

These are basically wrong applications :) The main purpose of PASSWORD()
function is return encrypted password as MySQL stores in mysq.user table.

Many users change password using password() function instead of using GRANT
statement.

For encrypting external passwords one should use md5() or sha1() as
recommended in the manual :)

Of course this adds some problems, and so shall be mentioned in upgrade
section for MySQL 4.0

But I still think it is better to require to change wrong application rather
than way users can change passwords.


By the way

--old-passwords

Startup option will force MySQL 4.1 to use old password format. Thus this will
also lead to weaker authentication.

--
MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13246@lists.mysql.com
To unsubscribe, e-mail