MySQL Forums
Forum List  »  Security

Re: validate_password_strength
Posted by: Georgi Kodinov
Date: July 11, 2016 02:53AM

Christian,

The password in your example is not encrypted, it's hashed. And the difference is that hashing is irreversible, i.e. you can't know the original password knowing the hash only (without employing special computationally extensive techniques).

So the answer to your question whether you can evaluate existing passwords by hash only is: not in the general case.

One way to fix that is to force a password rotation for the existing users, i.e. mark their passwords as expired. Then you still won't know their passwords, by they'd be able to login and change them so that they comply with the newly enforced password strength policy.

See http://dev.mysql.com/doc/refman/5.7/en/password-expiration-policy.html for more details on password expiration.

Options: ReplyQuote


Subject
Views
Written By
Posted
1784
June 07, 2016 01:27AM
Re: validate_password_strength
928
July 11, 2016 02:53AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.