Comments on: MySQL password security

By: tobe

tobe — Mon, 09 Mar 2009 21:58:28 +0000

Anyway, thermal cryptanalysis can be involved against any cryptosystem. Take a hot iron and apply it on the DBA untill THE password is recovered.

P.S. Congratulations.

P.P.S The devil hides in detail (a.k.a key exchange). Hopefully not this time.

By: Domas Mituzas

Domas Mituzas — Mon, 09 Mar 2009 07:55:33 +0000

Arjen, the very original design cover both, but not at the same time.
Did you suggest asymmetric encryption? That is the only way to pass a token over internet without tradeoffs of usual challenge-response schemes.

Of course, there is also Diffie-Hellman style key exchange, but it is quite an overhead for unencrypted fast connection…

By: Arjen Lentz

Arjen Lentz — Sun, 08 Mar 2009 23:39:37 +0000

The original design for the 4.1 scheme (by serg and I) did have both covered, but the implementation got completely borked.

By: Suzanne Axtell

Suzanne Axtell — Sun, 08 Mar 2009 21:11:02 +0000

Thanks, Domas, that is a *great* shameless plug! :)