Is it considered good or bad practice to use MySQL's password function to hash passwords used by an application? I can see pros and cons. I'm curious if there is a general consensus on whether it is good or bad.
I know the older one ( OLD_PASSWORD in 5 and up) is definitely insecure. There is also the MD5 function, but with the rise of colossal rainbow tables, it's not 100% reliable as a way of completely obfuscating stored passwords. A better method is hashing the password (with a salt) before it reaches the database.
The PASSWORD function performs encryption one-way. The PASSWORD function is used by the authentication system in MySQL to store passwords. Do not use th PASSWORD function in your own application, use the MD5 or SHA1 functions instead. See also the ENCRYPT function.
MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).
The docs for MySQL's PASSWORD() function states:
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.
Read "You're Probably Storing Passwords Incorrectly" for better advice on hashing and storing passwords.
MD5 and SHA-1 are considered to be too weak to use for passwords. The current recommendation is to use SHA-256.
I contributed a patch to MySQL to support a SHA2()
function, and the patch was accepted, but since their roadmap has changed it's not clear when it will make it into a released product.
In the meantime, you can use hashing and salting in your programming language, and simply store the result hash digest in the database. If you use PHP, SHA-256 is available in the hash()
function.
update: MySQL 5.5.8 was released in December 2010, and that release contains support for the SHA2()
function.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With