Authenticating to a DB with a key?

Sasha Pachev sasha at asksasha.com
Mon Apr 8 17:52:02 MDT 2013


MySQL can do long passwords. Proof:

mysql> grant all on test.* to tester at localhost identified by 'foo';
Query OK, 0 rows affected (0.01 sec)

mysql> update mysql.user set password=password(repeat('a',4096)) where
user='tester';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

I did the above trick because I was too lazy to generate a grant with
a long string. However, now I am realizing that I am going to have to
authenticate somehow to prove that it actually works, so perhaps that
trick was not that useful. But I've done it that way, so here it goes.
Note that tester at localhost pw is now 'a' repeated 4096 times.

bash-4.1$ mysql -utester -p`perl -e "print 'a'x4096;"` test -e "select 1"
+---+
| 1 |
+---+
| 1 |
+---+

works...

Now let's make sure it does not believe that all churches are true,
give it an invalid password.

bash-4.1$ mysql -utester -p`perl -e "print 'a'x4095;"` test -e "select 1"
ERROR 1045 (28000): Access denied for user 'tester'@'localhost' (using
password: YES)

Indeed.

We must note that anything that hashes into the hash returned by MySQL
PASSWORD() function will be accepted. So in theory it possible to log
in with other passwords, but good luck finding them.


-- 
Sasha Pachev

Fast Running Blog.
http://fastrunningblog.com
Run. Blog. Improve. Repeat.


More information about the PLUG mailing list