Comments on: Does MySQL Send Passwords In the Clear? http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear News and views from Pythian DBAs Fri, 8 Aug 2008 21:08:14 +0000 http://wordpress.org/?v=2.3.2 By: Matthew Montgomery http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear#comment-172335 Matthew Montgomery Thu, 20 Mar 2008 03:51:13 +0000 http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear#comment-172335 @Tom Krouper It does already... $ ./bin/mysqlbinlog data/katzs-binlog.000001 | grep PASSWORD SET PASSWORD FOR 'root'@'localhost'='*E74858DB86EBA20BC33D0AECAE8A8108C56B17FA'/*!*/; @Tom Krouper

It does already…

$ ./bin/mysqlbinlog data/katzs-binlog.000001 | grep PASSWORD
SET PASSWORD FOR ‘root’@'localhost’='*E74858DB86EBA20BC33D0AECAE8A8108C56B17FA’/*!*/;

]]> By: Tom Krouper http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear#comment-172290 Tom Krouper Thu, 20 Mar 2008 00:52:05 +0000 http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear#comment-172290 I kind of wish that the set password and grant weren't put in clear text. Anyway to get the binary log to add the encrypted version of the password? I kind of wish that the set password and grant weren’t put in clear text. Anyway to get the binary log to add the encrypted version of the password?

]]> By: Bill Karwin http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear#comment-172278 Bill Karwin Wed, 19 Mar 2008 23:42:46 +0000 http://www.pythian.com/blogs/882/does-mysql-send-passwords-in-the-clear#comment-172278 Right; MySQL authentication never transmits passwords in the clear, but many web apps use their own authentication instead of MySQL passwords. It's up to the application developer to encode passwords instead of transmitting them in the clear. In other words, what's the difference between the following two queries: SELECT (MD5(?) = a.password_hash) AS is_match FROM accounts a WHERE a.login = ?; -- send password in the clear and encode it in the SQL engine SELECT (? = a.password_hash) AS is_match FROM accounts a WHERE a.login = ?; -- encode password in the application and send MD5 digest to the RDBMS Right; MySQL authentication never transmits passwords in the clear, but many web apps use their own authentication instead of MySQL passwords. It’s up to the application developer to encode passwords instead of transmitting them in the clear. In other words, what’s the difference between the following two queries:

SELECT (MD5(?) = a.password_hash) AS is_match FROM accounts a WHERE a.login = ?;
– send password in the clear and encode it in the SQL engine

SELECT (? = a.password_hash) AS is_match FROM accounts a WHERE a.login = ?;
– encode password in the application and send MD5 digest to the RDBMS

]]>