Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
884 views
in Technique[技术] by (71.8m points)

security - How do you change the hash algorithm in mysql?

I just noticed something about MySql which I haven't noticed before.

If you use any of the MySql hashing functions MD5, SHAx, Password, etc they all seem to return the same hash. This happens across all schemas and databases regardless of their installed instance

I have a local MySql server database, and two others hosted with different internet providers

If I do the following

  select MD5('Password');
  select Sha1('Password');
  select Sha2('Password', 224);
  select Password('Password');

each function will yield the same result across all for that function across all instances of MySql

For example if I do select MD5('Password') it gives this same dc647eb............12b3964 hash for MD5 regardless of on all of my servers. This looks a little bit suspect to me and sounds like a security hole.

Has anyone noticed this and is there anything that can be done about it?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

MD5, SHA1 and SHA2 are simple cryptographic hashes that for any given input will, by design, produce exactly the same output. This is how they are intended to be used. You don't want the SHA2 file signature of something to come out differently each time you run the hash. They're also designed to be fast to compute.

You want things like SHA2(x) to always produce the same output for any given x so that if you have a file and a signature you can see if the file has been in any way tampered with by computing the hash and comparing it.

Password-specific hashes like Bcrypt, which you might be thinking of, work differently and produce random output. This makes them way more resistant to brute-force password guessing attacks. They're also designed to be slow, often tens if not millions of times slower than their MD5 or SHA counterpart.

You want, effectively BCRYPT(x) to be random and unpredictable for any given x so that you cannot infer x from the output.

Yes, using MD5 or SHA for passwords is a huge security problem especially if the input is unsalted. Just search for dc647eb65e6711e155375218212b3964 in your favorite search engine and see what comes up: it's instantly "dehashed". You can use a search engine as what used to be termed a Rainbow Table.

SHA and MD5 were used, extensively, for hashing passwords mostly because it was the best option at the time. Computers were also far, far slower, and GPU options didn't exist, so the risk of compromise was vastly reduced. Now tools like Hashcat exist that can crack even "difficult" passwords if someone's careless enough to use a weak hash.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...