On Wed, Oct 25, 2000 at 10:27:15AM -0600, Bruce Guenter wrote: > On Tue, Oct 24, 2000 at 10:25:14AM -0400, Lamar Owen wrote: > > I am forwarding this not to belittle MySQL, but to hopefully help in the > > development of our own encryption protocol for secure password > > authentication over the network. > > > > The point being is that if we offer the protocol to do it, we had better > > ensure its security, or someone WILL find the hole. Hopefully it will > > be people who want to help security and not exploit it. > > IMO, anything short of a full SSL wrapped connection is fairly > pointless. What does it matter if the password is encrypted if > sensitive query data flows in the clear? Passwords are sensitive too. They are actually orthogonal, for data security we need something like SSL, but for authentication/password security we need some strong authentication scheme anyway. -- marko
