Bug #21018 | Requirement to encrypt passwords in Java | ||
---|---|---|---|
Submitted: | 12 Jul 2006 21:25 | Modified: | 10 Apr 2015 9:53 |
Reporter: | Peter Toye | Email Updates: | |
Status: | Won't fix | Impact on me: | |
Category: | Connector / J | Severity: | S4 (Feature request) |
Version: | OS: | Any | |
Assigned to: | Alexander Soklakov | CPU Architecture: | Any |
Tags: | encryption, passwords |
[12 Jul 2006 21:25]
Peter Toye
[1 Sep 2009 11:33]
Tonci Grgin
This appears legitimate feature request to me. Mark?
[30 Apr 2013 14:09]
Todd Farmer
Since this request was first made, the server has developed in ways where this makes less sense today than previously, and client-side hashing isn't entirely recommended. Here are reasons to *not* implement this: * New authentication plugins such as sha256_password have different password hashing requirements, which cannot be expressed by sending a hash. * New server-side functionality such as password complexity checking (validate_password plugin) is bypassed if the client sends only the hash. * SSL connections can be used in environments where network encryption is required. * This would add overhead of additional client-side parsing of commands in order to identify, capture and rewrite such statements.
[10 Oct 2014 9:50]
Daniƫl van Eeden
I agree with Todd Farmer. The solution is to use SSL.
[10 Apr 2015 9:53]
Alexander Soklakov
I close this request as Won't fix.
[10 Apr 2015 10:26]
Peter Toye
Well, after 8 years I'd forgotten completely about this. As I'm no longer using MySQL it's not an issue for me any more! My original request was more from a theoretical background as the application I was developing at the time had the client and server on the same machine.