Documentation Home
MySQL Internals Manual

MySQL Internals Manual  /  ...  /  Secure Password Authentication

14.3.3 Secure Password Authentication

  • client-side expects a 20-byte random challenge

  • client-side returns a 20-byte response based on the algorithm described later





This method fixes a 2 short-comings of the Old Password Authentication:

  • using a tested, crypto-graphic hashing function which isn't broken

  • knowning the content of the hash in the mysql.user table isn't enough to authenticate against the MySQL Server.

The password is calculated by:

SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) )

User Comments
User comments in this section are, as the name implies, provided by MySQL users. The MySQL documentation team is not responsible for, nor do they endorse, any of the information provided here.
Sign Up Login You must be logged in to post a comment.