Mark Matthews wrote:
[ ... ]
[ ... ]Mike Moran wrote:
I've been looking into what algorithm MySQL 4.1.7 uses for password hashing/encryption, with a view to ascertaining how secure it is. Does it conform to any combinations of published Specs e.g. MD5/SHA-1/etc?
Mike,
MySQL-4.1.7 uses SHA-1. The code you're looking at is for MySQL-4.0 and older. See MysqlIO.secureAuth411(), which also happens to have the entire algorithm in a comment block ;)
Ta for that (and also the SciBit person). I think I understand what is going on here, going by the doc comment you mention. However, I'm unsure why the password is being hashed twice i.e. why is hash_stage2 needed? I suppose it doesn't hurt, but I'm just curious. Also, I take it from this that the authentication algorithm/protocol used is MySQL-specific?
Incidentally, I notice Security#scramble411() uses getBytes() without specifying a character set. As far as I understand it, because getBytes() uses the default platform character set, this will give a different scramble value on different Java platforms when you use characters outside the small range which is encoded the same in multiple character sets e.g. if you use a non-ASCII password. I haven't double-checked this; I just noticed it in passing.
-- Mike
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
