{"id":14111,"date":"2020-05-08T17:37:04","date_gmt":"2020-05-08T15:37:04","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/the-evolution-of-mysql-authentication-mechanism\/"},"modified":"2020-05-08T17:37:04","modified_gmt":"2020-05-08T15:37:04","slug":"the-evolution-of-mysql-authentication-mechanism","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/the-evolution-of-mysql-authentication-mechanism\/","title":{"rendered":"The evolution of MySQL authentication mechanism"},"content":{"rendered":"

The authentication, the first level of security for each IT system, is the stage to verify the user identity through the basic username and password scheme. It is crucial to have a mechanism to protect and secure password storing and transmitting over network.<\/p>\n

In MySQL, there is plenty of different authentication methods available, and last versions improved the security of this concept.<\/p>\n

\"MySQL<\/a>
\n
\nAt the beginning, the mechanism, called mysql_old_password<\/strong><\/a>, was pretty insecure: it\u2019s based on a broken hashing function and the password is 16 bytes long. It was not so complex for attackers to find a plaintext password from the hash stored in the password<\/em> column of mysql.user<\/em> table. It has been removed in MySQL 5.7.5.<\/p>\n

A new method was introduced in MySQL 4.1 and it became the mysql_native_password<\/strong><\/a> plugin as of MySQL 5.5, enabled by default. It\u2019s based on a SHA-1 hashing algorithm and the password is 41 bytes long. On one side, it\u2019s more secure than mysql_old_password because hashes cannot be used to authenticate. But on the other side, it still has weaknesses, especially for \u201ctoo simple\u201d passwords, because for the same passwords we get the same hash. Again, it\u2019s not so complicated to search for the stolen hashes in rainbow tables to obtain the correspondent plaintext password.<\/p>\n

There have been other improvements in MySQL 5.6: sha256_password<\/strong><\/a> plugin adds a random salt in hashes generation, so this last one is unique and rainbow tables are useless. In MySQL 8.0, default authentication remains strong (same SHA-256 password hashing mechanism) but in addition it becomes faster: a cache was added on the server side to enable a faster re-authentication for accounts that have connected previously. It’s called caching_sha2_password<\/strong><\/a> and it’s now the default plugin.<\/p>\n

This MySQL authentication evolution must be seriously considered by DBAs during upgrade processes and following aspects must not to be underestimated:<\/p>\n