|
Re: Reversing MySQL's password function
by erix (Prior) on Jan 15, 2005 at 12:06 UTC
|
As far as I know, mysql's password() function is non-reversible (but it is repeatable, of course).
reversible are: encode (by decode), des_encrypt/des_decrypt (for mysql with SSL support), aes_encrypt/aes_decrypt.
Make sure to check which mysql version you have, for these functions have changed between versions, or are only available in newer ones.
Searching with google for these words will find you many explanations.
| [reply] |
Re: Reversing MySQL's password function
by ercparker (Hermit) on Jan 15, 2005 at 14:11 UTC
|
mysql password() encryption is one-way.
here is some information on mysql encryption functions. | [reply] |
Aside: Change in MySQL Reversing MySQL's password function in 4.1
by Mr. Muskrat (Canon) on Jan 15, 2005 at 17:11 UTC
|
| [reply] |
Re: Reversing MySQL's password function
by martell (Hermit) on Jan 15, 2005 at 18:39 UTC
|
If you wants to store the passwords in a mysql database for an application, the following remark from the mysql manual is maybe relevant:
quote (13.8.2 Encryption Functions: PASSWORD(str)):
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application.
A better practice is to calculate the SHA1 or MD5 sum of the password and store the results in your database
Both functions, MD5 and SHA1, are one way hash functions. So you can't reverse them to obtain the original 'clear' password.
To authenticate somebody, just recalculate the SHA1 or MD5 sum of the given password in your application using module "Digest::SHA1" or "Digest::MD5". Then query the databank with a simple select statement to check if the calculated MD5/SHA1 value matches the stored value MD5/SHA1 for the user in the database. In that way the password is never send in clear from your application to the database.
| [reply] |
Re: Reversing MySQL's password function
by PodMaster (Abbot) on Jan 15, 2005 at 11:26 UTC
|
And what is password()?
I'll bet the documentation mentions something.
| MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!" | | I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README). | | ** The third rule of perl club is a statement of fact: pod is sexy. |
| [reply] |
Re: Reversing MySQL's password function
by thor (Priest) on Jan 15, 2005 at 15:54 UTC
|
Typically with password authentication, one doesn't check that the value you have stored equals the value that the user just tried, but rather the encrypted versions of them compare equal.
thor
Feel the white light, the light within
Be your own disciple, fan the sparks of will
For all of us waiting, your kingdom will come
| [reply] |
Re: Reversing MySQL's password function
by BUU (Prior) on Jan 16, 2005 at 00:38 UTC
|
Since no one else has mentioned it, password('$clearpass') won't pass the value of $clearpass to the function password() instead it will send the literal string $clearpass due to the single quotes. | [reply]
[d/l]
[select] |
|
|
my $sql = "select password('$clearpass')";
Nothing wrong, indeed the single quotes are needed.
update: OP mentions $pass=password('$clearpass'), which might be taken out of an insert:
my $sql = "insert into tab set $pass=password('$clearpass')";
| [reply]
[d/l]
[select] |
Re: Reversing MySQL's password function
by r34d0nl1 (Pilgrim) on Jan 16, 2005 at 18:43 UTC
|
Unfortunatelly (or not) you can't get the plain text password. But you can test the password sending the salt using to create it.
updated: I thing that use the password function is a bad ideia anyway.
Sorry for this useless post, but I read the good answers just after posting it :p . | [reply] |