Req #50815 [Wfx]: Implement 323 short password hash fallback in mysqlnd

Mon, 29 Oct 2012 01:01:22 -0700 

Edit report at https://bugs.php.net/bug.php?id=50815&edit=1

 ID:                 50815
 Updated by:         and...@php.net
 Reported by:        jd at cpanel dot net
 Summary:            Implement 323 short password hash fallback in
                     mysqlnd
 Status:             Wont fix
 Type:               Feature/Change Request
 Package:            MySQL related
 Operating System:   any
 PHP Version:        5.3.1
 Assigned To:        mysql
 Block user comment: N
 Private report:     N

 New Comment:

There is no such thing as discouraging. It is about updating the credentials, 
so they are more secure. Just use SET PASSWORD and hash the password again.


Previous Comments:
------------------------------------------------------------------------
[2012-10-26 17:18:09] toddr at cpanel dot net

If you want to discourage use of the short password method, couldn't you just 
add 
a configure option to enable this and disable it by default?

------------------------------------------------------------------------
[2012-10-26 17:11:47] toddr at cpanel dot net

If all MySQL 5 versions support this hashing scheme, Aren't you kinda 
overriding a 
user decision to enable short passwords on their MySQL server? It's also not 
clear 
when the failure happens what the problem is.

------------------------------------------------------------------------
[2010-08-27 06:00:08] ahar...@php.net

Fix up the package to make this easier to search for.

------------------------------------------------------------------------
[2010-08-26 13:31:35] u...@php.net

We mysql guys have no plans adding old insecure password stuff to mysqlnd. As 
it is assigned to us/me, I'm changing status to what shall be status from 
our/my perspective: won't fix.

------------------------------------------------------------------------
[2010-03-03 16:57:40] chris at geartech dot org

I am running into this issue with mysqlnd as well; at my work we must keep old 
passwords on a few daemons to ensure backwards compatibility with proprietary 
software.  MySQL's website (checking the 5.1 & 5.5 documentation) doesn't have 
the old password format deprecated in the newer versions, it's merely 
discouraged.

While I agree that it is an insecure format and deprecating/removing support of 
it would be ideal, but it seems like support for this password scheme will 
exist in (major) future versions.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=50815


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=50815&edit=1

Reply via email to