Password() generates random result in 4.1.0 alpha

------=_NextPart_000_0027_01C36137.6005E340
Content-Type: text/plain;
charset="big5"
Content-Transfer-Encoding: quoted-printable

Hello,

In 4.1.0 alpha, I found the result of "SELECT PASSWORD('WHATEVER')" =
statement is generating random results. Therefore I had to use MD5() to =
store password to my tables.

This problem does not exists in 4.0, where PASSWORD() gives consistent =
result.

Why can this happen?
------=_NextPart_000_0027_01C36137.6005E340--

Re: Password() generates random result in 4.1.0 alpha

Kevin,

Kevin Lee wrote:
> Hello,
>
> In 4.1.0 alpha, I found the result of "SELECT PASSWORD('WHATEVER')" statement
> is generating random results. Therefore I had to use MD5() to store password to my
> tables.

Results are not random. This is SHA1 based algorithm which produces these hashes.

4.1 uses different, more secure password encryption and authentication mechanism.
It implements function OLD_PASSWORD() which uses old code for compatibility.

However you must note that PASSWORD() function was always intended to be used for
storing MySQL users passwords only and never for using in any other area.

Quoting manual:

Note: The PASSWORD() function is used by the authentication system in MySQL
Server, you should NOT use it in your own applications. For that purpose, use
MD5() or SHA1() instead. Also see RFC-2195 for more information about handling
passwords and authentication securely in your application.


Best regards

--
Are you MySQL certified? -> http://www.mysql.com/certification
For technical support contracts, visit https://order.mysql.com/?ref=msal
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Alexander Keremidarski
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Sofia, Bulgaria
<___/ www.mysql.com




--
MySQL Bugs Mailing List
For list archives: http://lists.mysql.com/bugs
To unsubscribe: http://lists.mysql.com/bugs?unsub=gcdmb-bugs@m.gmane.org

Re: Password() generates random result in 4.1.0 alpha

Kevin,

Alexander Keremidarski wrote:

> Results are not random. This is SHA1 based algorithm which produces these hashes.

Some more details in case my first email was not clear enough.

4.1.0 PASSWORD() function adds a random salt to the password.
This behaviour is changed in 4.1.1

Which is one more argument against usage of PASSWORD() in applicatiion. Remember
this funcion is intended for handling MySQL users passwords only.

Best regards

--
Are you MySQL certified? -> http://www.mysql.com/certification
For technical support contracts, visit https://order.mysql.com/?ref=msal
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Alexander Keremidarski
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Sofia, Bulgaria
<___/ www.mysql.com




--
MySQL Bugs Mailing List
For list archives: http://lists.mysql.com/bugs
To unsubscribe: http://lists.mysql.com/bugs?unsub=gcdmb-bugs@m.gmane.org

Re: Password() generates random result in 4.1.0 alpha

Hi!

On Aug 13, Alexander Keremidarski wrote:
> Kevin,
>
> Kevin Lee wrote:
> > Hello,
> >
> > In 4.1.0 alpha, I found the result of "SELECT PASSWORD('WHATEVER')" statement
> > is generating random results. Therefore I had to use MD5() to store password to my
> > tables.

It is because in 4.1.0 PASSWORD is adding random salt to the password
string.

But this behaviour will be removed in 4.1.1.

> However you must note that PASSWORD() function was always intended to be used for
> storing MySQL users passwords only and never for using in any other area.

This is correct.

So you were right using MD5 for your passwords.

Regards,
Sergei

--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Senior Software Developer
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
<___/ www.mysql.com

--
MySQL Bugs Mailing List
For list archives: http://lists.mysql.com/bugs
To unsubscribe: http://lists.mysql.com/bugs?unsub=gcdmb-bugs@m.gmane.org