Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MySQL password function

Tags:

passwords

mysql

Is it considered good or bad practice to use MySQL's password function to hash passwords used by an application? I can see pros and cons. I'm curious if there is a general consensus on whether it is good or bad.

like image 308
Wes Avatar asked Nov 17 '09 19:11

Wes

People also ask

Is MySQL password function Safe?

I know the older one ( OLD_PASSWORD in 5 and up) is definitely insecure. There is also the MD5 function, but with the rise of colossal rainbow tables, it's not 100% reliable as a way of completely obfuscating stored passwords. A better method is hashing the password (with a salt) before it reaches the database.

What is password function?

The PASSWORD function performs encryption one-way. The PASSWORD function is used by the authentication system in MySQL to store passwords. Do not use th PASSWORD function in your own application, use the MD5 or SHA1 functions instead. See also the ENCRYPT function.

How is password stored in MySQL?

MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).

1 Answers

The docs for MySQL's PASSWORD() function states:

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.

Read "You're Probably Storing Passwords Incorrectly" for better advice on hashing and storing passwords.

MD5 and SHA-1 are considered to be too weak to use for passwords. The current recommendation is to use SHA-256.

I contributed a patch to MySQL to support a SHA2() function, and the patch was accepted, but since their roadmap has changed it's not clear when it will make it into a released product.

In the meantime, you can use hashing and salting in your programming language, and simply store the result hash digest in the database. If you use PHP, SHA-256 is available in the hash() function.

update: MySQL 5.5.8 was released in December 2010, and that release contains support for the SHA2() function.

like image 91
Bill Karwin Avatar answered Oct 03 '22 06:10

Bill Karwin
Sign in to Comment

Related questions

How to host an sql database on a cloud?
MySQL SELECT DISTINCT should be case sensitive?
Test query execution time in laravel
Updating display order of multiple MySQL rows in one or very few queries
Mysql OPTIMIZE TABLE for all fragmented tables
How do I fix the 'Out of range value adjusted for column' error?
Could not load file or assembly 'MySql.Data, Version=6.2.2.0
trying to connect to mysql and getting error :is not allowed to connect to this MySQL serverConnection closed by foreign host
Dump sql file to ClearDB in Heroku
Lots of "Query End" states in MySQL, all connections used in a matter of minutes
Does it improve performance to index a date column?
Best hash algorithm to use in PHP/MYSQL [closed]
Database Design for Facebook-like messages [closed]
Under Codeigniter, is it possible to see mysql_error()?
Mysql: Allow Null meaning
How can I pipe output of bzip to mysql to restore data directly from bzipped file into a database
Get number of rows returned in MySQL query
Dynamic mail configuration with values from database [Laravel]
Practical limit to length of SQL query (specifically MySQL)
MySQL: Create user with rights only for specific db [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!