Edit report at https://bugs.php.net/bug.php?id=50815&edit=1
ID: 50815
Comment by: toddr at cpanel dot net
Reported by: jd at cpanel dot net
Summary: Implement 323 short password hash fallback in
mysqlnd
Status: Wont fix
Type: Feature/Change Request
Package: MySQL related
Operating System: any
PHP Version: 5.3.1
Assigned To: mysql
Block user comment: N
Private report: N
New Comment:
If all MySQL 5 versions support this hashing scheme, Aren't you kinda
overriding a
user decision to enable short passwords on their MySQL server? It's also not
clear
when the failure happens what the problem is.
Previous Comments:
------------------------------------------------------------------------
[2010-08-27 06:00:08] [email protected]
Fix up the package to make this easier to search for.
------------------------------------------------------------------------
[2010-08-26 13:31:35] [email protected]
We mysql guys have no plans adding old insecure password stuff to mysqlnd. As
it is assigned to us/me, I'm changing status to what shall be status from
our/my perspective: won't fix.
------------------------------------------------------------------------
[2010-03-03 16:57:40] chris at geartech dot org
I am running into this issue with mysqlnd as well; at my work we must keep old
passwords on a few daemons to ensure backwards compatibility with proprietary
software. MySQL's website (checking the 5.1 & 5.5 documentation) doesn't have
the old password format deprecated in the newer versions, it's merely
discouraged.
While I agree that it is an insecure format and deprecating/removing support of
it would be ideal, but it seems like support for this password scheme will
exist in (major) future versions.
------------------------------------------------------------------------
[2010-01-21 19:17:49] jd at cpanel dot net
I'd agree with you there. They should be using the long hashes. The problem
is when you have a system that's been in place for a very long time and the
passwords haven't ever changed. The short hashes are still in the user table
and the existing libmysqlclient happily connects with them. For some users
this makes switching to mysqlnd a very difficult process. You need to force
all of these old account to reenter their passwords so they can be rehashed.
The main point is that if it's insecure to the point where it's worth breaking
backward compatability, why do the latest versions of libmysqlclient continue
to provide this functionality? The short hashes in the user table are the
security problem, not the ability to send them from the client side, right?
------------------------------------------------------------------------
[2010-01-21 19:07:00] [email protected]
The old hashing algorithm was insecure, which means passwords could be guessed
with little effort. Additionally the last MySQL Server version which depended
on this format is 4.0, which is out-of-support by MySQL (see
http://www.mysql.com/about/legal/lifecycle/ ) since 2006 (extended support for
customers ended 2008-09).
Why do you need an insecure auth mechanism?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=50815
--
Edit this bug report at https://bugs.php.net/bug.php?id=50815&edit=1
