Hi, Thomas Goirand <tho...@goirand.fr> writes: > On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: >> I noticed you prepared a patch[1] using MySQL's PASSWORD() function. >> Please note that this function should *not* be used by applications >> besides MySQL itself[2] in addition to not salting the hash. The crypt >> function included in PHP itself[3] with salting and a modern hash like >> SHA-512 seems to be a better choice. >> >> [1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614304#56> >> [2] >> <http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password> >> [3] <http://php.net/manual/en/function.crypt.php> > > Thanks for letting me know before it's too late. Indeed, I didn't know. > > Now, the issue is that in few places, I will need to use the encryption > from the command line. In such a case, using the crypt() function of PHP > is not really convenient (even though I can use a php cli, I'd rather > avoid if possible). So, do you think it's acceptable to use the SHA2() > function of MySQL instead, which would be a lot more strait forward to > use for me?
Just SHA2() is not enough for modern password hashing algorithms as these include many iterations of the hash function (I don't know very much about this myself). So I would recommend using an existing implementation instead of writing a possibly less secure replacement. In shell scripts you could use either mkpasswd, a wrapper around crypt() included in Debian's whois package, or call crypt via php. Please make sure that the password is not passed as a parameter (which is visible in the process list). > Somebody else suggested the haval160 algo of PHP. Do you as well think > it's a good idea? That would also force me to use PHP all the time... To quote Wikipedia[4]: Research has uncovered weaknesses which make further use of HAVAL (at least the variant with 128 bits and 3 passes) questionable. On 17 August 2004, collisions for HAVAL (128 bits, 3 passes) were announced by Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu. So I would not recommend using it. Regards, Ansgar [4] <http://en.wikipedia.org/wiki/HAVAL> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
