Giuseppe Maxia wrote:
> SHA1 has been broken.
>
>
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
> Since MySQL passwords (4.1 and up) seem to be based on it, is there anything we should be
> concerned about?
No proof has been provided for those claims yet, nor is the scale of the alleged problem clear.
With scale I mean, if previous it would take millions of years to crack it, how much time would it take now?
The alleged problem is about finding duplicates, i.e. a different string that would produce the same SHA1 output. If the process by which this "attack" can be done is sufficiently fast, then this could indeed be relevant for the authentication protocol in MySQL 4.1.
However, there are other aspects in the protocol design that would still make it quite difficult to actually exploit. Basically, a potential attacker would only gain an advantage from this if they were able to steal the mysql.user table. Then they could use the attack to calculate possible passwords. Network sniffing or protocol intercepting wouldn't help them in any way.
Do note though that in MySQL 4.1, the user name is part of the password hash, so two users with the same password still have different SHA1 strings stored. This same feature also slows down dictionary attacks, and also attacks of the type described above.
Regards, Arjen.
--
Arjen Lentz, Exec.Director @ Open Query (http://openquery.com)
Remote expertise & maintenance for MySQL/MariaDB server environments.
Follow us at
http://openquery.com/blog/ &
http://twitter.com/openquery