Reputation: 1290
Is the MySQL password function vulnerable to this?
Is storing a password in the DB using MySQL's password function just as bad as this?
http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/?source=linkedin
The problem with SHA-1 is that it translates the same text the same way each time. So if your password is "password" and your friend's password is also "password," they will be hashed exactly the same way. That makes reversing the process to uncover the original password significantly easier.
I know it says SHA-1, but obviously any unsalted one way hash would have the same issue.
Upvotes: 3
Views: 1148
Answers (2)
Reputation: 53870
MySQL documentation says that you shouldn't be using the PASSWORD() function in your own application:
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.
Internally, MySQL's PASSWORD() function utilizes SHA1(2), that's SHA1 twice. However, it doesn't utilize a salt. So, yes, it's still vulnerable to rainbow table attacks.
Upvotes: 2
Reputation: 219894
Is storing a password in the DB using MySQL's password function just as bad as this?
Yes.
Generally speaking you want to use a method that includes a salt, preferably unique for each user, and is slow to run to prevent brute force cracking. Bcrypt is the currently recommended way to go when storing passwords because it is intentionally (relatively) slow to create.
Upvotes: 3
Related Questions
- MySQL password function
- MySQL Hashing Function Implementation
- hash() function in mysql version 8.0
- MySQL select by password() does not return expected result
- Encryption of hashed passwords?
- Hashed password must be sanitized?
- what type of password hash? possible mysql hash?
- MySQL plain-text to hash passwords
- Password hash in PHP: Am I Doing This Right?
- Why is the old mysql password function considered insecure