Re: connecting by knowing someone's scrambled password?
Hi! On Aug 10, Carsten H. Pedersen wrote: http://www.mysql.com/doc/U/s/User_names.html says: MySQL encrypts passwords using a different algorithm than the one used during the Unix login process. See the descriptions of the PASSWORD() and ENCRYPT() functions in section 6.4.12 Miscellaneous Functions. Note that even if the password is stored 'scrambled', and knowing your 'scrambled' password is enough to be able to connect to the MySQL server! How is that possible? Even if you do know someone's scrambled password, when you connect to the MySQL server pretending to be that user, it will ask you for their non-scrambled password. After you type it in, the server will scramble it and check that the scrambled value matches the scrambled value stored in the database -- but you can't intercept that part of the process and insert the known scrambled password to be checked. -Bennett The manual certainly *does* need a clean-up on this. --- 4.3.6 Setting Up Passwords: ...When the user jeffrey attempts to connect to the server using this password, the mysql client encrypts it with PASSWORD() and sends the result to the server. The server compares the value in the user table... --- Which would explain why knowing the encrypted password is enough to gain access to the server (you would, of course, need to write your own version of the mysql where you skip the PASSWORD call). However, --- 4.2.8 Access Control, Stage 1: Connection Verification ...The encrypted password is then used when the client/server is checking if the password is correct (This is done without the encrypted password ever traveling over the connection.) ... --- These two statements surely contradict each other. / Carsten -- Carsten H. Pedersen keeper and maintainer of the bitbybit.dk MySQL FAQ http://www.bitbybit.dk/mysqlfaq Thanks, for pointing this out. Of course, the second statement is correct - MySQL authentification protocol is designed to never send anything reusable (e.g. password) over the wire. We will fix the manual. Regards, Sergei -- MySQL Development Team __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: connecting by knowing someone's scrambled password?
How is that possible? Even if you do know someone's scrambled password, when you connect to the MySQL server pretending to be that user, it will ask you for their non-scrambled password. After you type it in, the server will scramble it and check that the scrambled value matches the scrambled value stored in the database -- but you can't intercept that part of the process and insert the known scrambled password to be checked. It's called bruteforcing... knowing the scrambled password, you can encrypt every possible password and compare it to the scrambled password to find the original password. Either that or the scrambled password is encrypted by the client then sent for comparison, but I doubt it. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: connecting by knowing someone's scrambled password?
http://www.mysql.com/doc/U/s/User_names.html says: MySQL encrypts passwords using a different algorithm than the one used during the Unix login process. See the descriptions of the PASSWORD() and ENCRYPT() functions in section 6.4.12 Miscellaneous Functions. Note that even if the password is stored 'scrambled', and knowing your 'scrambled' password is enough to be able to connect to the MySQL server! How is that possible? Even if you do know someone's scrambled password, when you connect to the MySQL server pretending to be that user, it will ask you for their non-scrambled password. After you type it in, the server will scramble it and check that the scrambled value matches the scrambled value stored in the database -- but you can't intercept that part of the process and insert the known scrambled password to be checked. -Bennett The manual certainly *does* need a clean-up on this. --- 4.3.6 Setting Up Passwords: ...When the user jeffrey attempts to connect to the server using this password, the mysql client encrypts it with PASSWORD() and sends the result to the server. The server compares the value in the user table... --- Which would explain why knowing the encrypted password is enough to gain access to the server (you would, of course, need to write your own version of the mysql where you skip the PASSWORD call). However, --- 4.2.8 Access Control, Stage 1: Connection Verification ...The encrypted password is then used when the client/server is checking if the password is correct (This is done without the encrypted password ever traveling over the connection.) ... --- These two statements surely contradict each other. / Carsten -- Carsten H. Pedersen keeper and maintainer of the bitbybit.dk MySQL FAQ http://www.bitbybit.dk/mysqlfaq - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php