Bug #21018 Requirement to encrypt passwords in Java
Submitted: 12 Jul 2006 21:25 Modified: 10 Apr 2015 9:53
Reporter: Peter Toye Email Updates:
Status: Won't fix Impact on me:
None 
Category:Connector / J Severity:S4 (Feature request)
Version: OS:Any
Assigned to: Alexander Soklakov CPU Architecture:Any
Tags: encryption, passwords

[12 Jul 2006 21:25] Peter Toye
Description:
While the connector seems to encrypt passwords when connecting, the CHANGE PASSWORD and IDENTIFIED BY constructions pass the password in cleartext, which rather defeats the object of the exercise.

I note that a C++ function make_scrambled_password() exists to perform the hashing on the client machine.

Can a similar function please be provided for Java?

How to repeat:
n/a

Suggested fix:
n/a
[1 Sep 2009 11:33] Tonci Grgin
This appears legitimate feature request to me.
Mark?
[30 Apr 2013 14:09] Todd Farmer
Since this request was first made, the server has developed in ways where this makes less sense today than previously, and client-side hashing isn't entirely recommended.  Here are reasons to *not* implement this:

* New authentication plugins such as sha256_password have different password hashing requirements, which cannot be expressed by sending a hash.
* New server-side functionality such as password complexity checking (validate_password plugin) is bypassed if the client sends only the hash.
* SSL connections can be used in environments where network encryption is required.
* This would add overhead of additional client-side parsing of commands in order to identify, capture and rewrite such statements.
[10 Oct 2014 9:50] Daniƫl van Eeden
I agree with Todd Farmer. The solution is to use SSL.
[10 Apr 2015 9:53] Alexander Soklakov
I close this request as Won't fix.
[10 Apr 2015 10:26] Peter Toye
Well, after 8 years I'd forgotten completely about this. As I'm no longer using MySQL it's not an issue for me any more!

My original request was more from a theoretical background as the application I was developing at the time had the client and server on the same machine.