Mike, The newest MySQL uses SHA1 in combo with random generated 20 byte session hash values. The procedure is irreversible and therefore why it is not possible to obtain the original password. MySQL is thus very secure and only vulnerable to a bruteforce attack. You can partially secure yourself against this by limiting users to specific hosts.
The day will surely come when MySQL will built in a "timeout" after a failed login attempt (i.e. when the username and host is ok, but the password failed). This will render even the bruteforce attack useless, as the attacker will have to wait years to test even a billion passwords (depending on the timeout value of course). As a typical bruteforce attack (depending on the number of valid characters and password length) can easily run into 10+ billion password permutations, this attack will be in vain as it will take decades to test all the passwords. Currently though, has MySQL no such feature. This allows you to test passwords against it upward of 10,000+ per second (if it is localhost), i.e. you can therefore test a billion passwords in approx. 30 mins. All this is obviously just estimates, as it depends on factors such as the MySQL hardware, your hardware, where the MySQL is running relative to you and how fast a connection can be established, etc etc. Typically (using a remote MySQL server) even just the connection setup time takes 1 second, i.e. 1 password/sec, thus 1 billion passwords will take 31 years :) Kind Regards SciBit MySQL Team http://www.scibit.com MySQL Products: http://www.scibit.com/products/mycon http://www.scibit.com/products/mysqlcomponents http://www.scibit.com/products/mysqlx http://www.scibit.com/products/mascon > > -----Original Message----- > From: "Mike Moran" <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>;"[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> > CC: > Subject: Definition of password hashing algorithm in 4.1.7 > Sent: Wed, 15 Dec 2004 12:44:10 GMT > Received: Wed, 15 Dec 2004 12:48:19 GMT > Read: Wed, 15 Dec 2004 13:46:54 GMT > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail3.infinology.net > X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no version=2.63 > > I've been looking into what algorithm MySQL 4.1.7 uses for password > hashing/encryption, with a view to ascertaining how secure it is. Does > it conform to any combinations of published Specs e.g. MD5/SHA-1/etc? > > I had a look at com.mysql.jdbc.Util#newHash() and #newCrypt() in > Connector/J 3.0, but the code is somewhat opaque. Is this algorithm > native to MySQL or is it just an implementation of a published > algorithm? Is it worth my time trying to track down the intriguing > 'Monty' code mentioned in Util.java? > > Ta, > > -- > Mike > > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]