MySQL密码功能 [英] MySQL password function
问题描述
使用MySQL的密码功能对应用程序使用的密码进行哈希处理是好还是坏的做法?我可以看到优点和缺点.我很好奇是否有普遍共识.
Is it considered good or bad practice to use MySQL's password function to hash passwords used by an application? I can see pros and cons. I'm curious if there is a general consensus on whether it is good or bad.
推荐答案
The docs for MySQL's PASSWORD() function states:
PASSWORD()函数由MySQL Server中的身份验证系统使用;您不应该在自己的应用程序中使用它.
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.
阅读"您可能存储了错误的密码"以获取有关以下方面的更好建议散列并存储密码.
Read "You're Probably Storing Passwords Incorrectly" for better advice on hashing and storing passwords.
MD5和SHA-1被认为太弱而无法使用密码.当前的建议是使用SHA-256.
MD5 and SHA-1 are considered to be too weak to use for passwords. The current recommendation is to use SHA-256.
我为MySQL提供了一个补丁,以支持 SHA2()
函数,并且该补丁已被接受,但由于他们的路线图已更改,因此尚不清楚何时将其制作为已发布的产品.
I contributed a patch to MySQL to support a SHA2()
function, and the patch was accepted, but since their roadmap has changed it's not clear when it will make it into a released product.
同时,您可以在编程语言中使用哈希和加盐,并且只需将结果哈希摘要存储在数据库中.如果您使用PHP,则 hash()
函数中可以使用SHA-256.
In the meantime, you can use hashing and salting in your programming language, and simply store the result hash digest in the database. If you use PHP, SHA-256 is available in the hash()
function.
更新:MySQL 5.5.8于2010年12月发布,该版本包含对
update: MySQL 5.5.8 was released in December 2010, and that release contains support for the SHA2()
function.
这篇关于MySQL密码功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!