RE: connecting by knowing someone's "scrambled" password?

Thu, 09 Aug 2001 22:48:08 -0700 

> http://www.mysql.com/doc/U/s/User_names.html
> says:
>  >>>
> MySQL encrypts passwords using a different algorithm than the one used
> during the Unix login process. See the descriptions of the PASSWORD() and
>       ENCRYPT() functions in section 6.4.12 Miscellaneous Functions. Note
> that even if the password is stored 'scrambled', and knowing your
> 'scrambled'
>       password is enough to be able to connect to the MySQL server!
>  >>>
>
> How is that possible?  Even if you do know someone's scrambled password,
> when you connect to the MySQL server pretending to be that user, it will
> ask you for their non-scrambled password.  After you type it in,
> the server
> will scramble it and check that the scrambled value matches the scrambled
> value stored in the database -- but you can't intercept that part of the
> process and insert the "known scrambled" password to be checked.
>
>       -Bennett

The manual certainly *does* need a clean-up on this.

---
4.3.6 Setting Up Passwords:
...When the user jeffrey attempts to connect to the
server using this password, the mysql client encrypts
it with PASSWORD() and sends the result to the server.
The server compares the value in the user table...
---

Which would explain why knowing the encrypted password
is enough to gain access to the server (you would, of
course, need to write your own version of the mysql
where you skip the PASSWORD call).

However,

---
4.2.8 Access Control, Stage 1: Connection Verification
...The encrypted password is then used when the client/server
is checking if the password is correct (This is done without
the encrypted password ever traveling over the connection.) ...
---

These two statements surely contradict each other.

/ Carsten
--
Carsten H. Pedersen
keeper and maintainer of the bitbybit.dk MySQL FAQ
http://www.bitbybit.dk/mysqlfaq


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to