MD5 Passwords in MySql?
Charles Bradshaw
brad at bradcan.homelinux.com
Mon Mar 25 07:40:43 EDT 2013
Daniel
Yes I understand and accept the weakness of MD5. In the world of
exponentially increasing processing power there will always be weakness,
of ANY scheme.
The question is not however about the efficacy of encryption methods!
It's about how to achieve password hashing in a mysql database.
I have indicated how to use AES. Its' strength however is compromised by
the necessity of revealing the key in many places.
I would be most great-full, if anybody KNOWS:
Is there a way to store MD5 hashed passwords when using the mysql
plugin?
Security through obscurity is always a bad principle.
On Mon, 2013-03-25 at 08:59 +1030, Daniel O'Connor wrote:
> On 25/03/2013, at 7:33, Charles Bradshaw <brad at bradcan.homelinux.com> wrote:
> >> That seems very wrong to me.
> >
> > It might be a kludge, but it's not wrong. It avoids storing plain text
> > passwords, which are always a risk. The purpose of MD5 digest is to make
> > passwords truly private to the user. Not even root knows users passwords
> > when stored in shadow(MD5).
> >
> > The only risk to shadow passwords is a brute force attack which is
> > relatively easy to detect and foil.
>
> FYI a single round of MD5 is considered quite weak these days.
>
> The whole point of hashing a password is to make it difficult to find a password if the password DB is leaked. MD5 is no longer sufficient for this (even with salt).
>
> A modern GPU can brute force billions of passwords per second and humans suck at generating them.
>
> --
> Daniel O'Connor software and network engineer
More information about the Info-cyrus
mailing list