MySQL can do long passwords. Proof:
mysql> grant all on test.* to tester@localhost identified by 'foo';
Query OK, 0 rows affected (0.01 sec)
mysql> update mysql.user set password=password(repeat('a',4096)) where
user='tester';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
I did the above trick because I was too lazy to generate a grant with
a long string. However, now I am realizing that I am going to have to
authenticate somehow to prove that it actually works, so perhaps that
trick was not that useful. But I've done it that way, so here it goes.
Note that tester@localhost pw is now 'a' repeated 4096 times.
bash-4.1$ mysql -utester -p`perl -e "print 'a'x4096;"` test -e "select 1"
+---+
| 1 |
+---+
| 1 |
+---+
works...
Now let's make sure it does not believe that all churches are true,
give it an invalid password.
bash-4.1$ mysql -utester -p`perl -e "print 'a'x4095;"` test -e "select 1"
ERROR 1045 (28000): Access denied for user 'tester'@'localhost' (using
password: YES)
Indeed.
We must note that anything that hashes into the hash returned by MySQL
PASSWORD() function will be accepted. So in theory it possible to log
in with other passwords, but good luck finding them.
--
Sasha Pachev
Fast Running Blog.
http://fastrunningblog.com
Run. Blog. Improve. Repeat.
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
