Bernard Igiri Bernard Igiri - 2 months ago 10
MySQL Question

Is the MySQL password function vulnerable to this?

Is storing a password in the DB using MySQL's password function just as bad as this?

http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/?source=linkedin


The problem with SHA-1 is that it translates the same text the same way each time. So if your password is "password" and your friend's password is also "password," they will be hashed exactly the same way. That makes reversing the process to uncover the original password significantly easier.


I know it says SHA-1, but obviously any unsalted one way hash would have the same issue.

Answer Source

Is storing a password in the DB using MySQL's password function just as bad as this?

Yes.

Generally speaking you want to use a method that includes a salt, preferably unique for each user, and is slow to run to prevent brute force cracking. Bcrypt is the currently recommended way to go when storing passwords because it is intentionally (relatively) slow to create.