Does MySQL Send Passwords In the Clear?
Mar 19, 2008 / By Sheeri Cabral
I was asked this question recently, and I thought it was a great little tidbit of knowledge to pass along. The short answer is “no”. The slightly longer answer was written up by Jan Kneschke when dealing with a forum post about proxy + connection pooling.
The clear-text password is _never_ transfered in the authentication phase.
On the network we have:
* client connects to server (no data)
* server sends a seed (40 char, one-time, random)
* client sends 40 char hash of (seed + PASSWORD(clear-text-password))
* server compares against the hash(seed + SELECT password FROM mysql.user WHERE username = )
That way we never have the password as clear-text on the wire. (only in SET PASSWORD or GRANT statements).
3 Responses to “Does MySQL Send Passwords In the Clear?”
Leave a Reply