Documentation Home
MySQL Internals Manual

MySQL Internals Manual  /  ...  /  Secure Password Authentication

14.3.3 Secure Password Authentication

  • client-side expects a 20-byte random challenge

  • client-side returns a 20-byte response based on the algorithm described later





This method fixes a 2 short-comings of the Old Password Authentication:

  • using a tested, crypto-graphic hashing function which isn't broken

  • knowning the content of the hash in the mysql.user table isn't enough to authenticate against the MySQL Server.

The password is calculated by:

SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) )

User Comments
Sign Up Login You must be logged in to post a comment.