简体繁体 English

mysql 使用什么样的哈希？

[英]What kind of hash does mysql use?

原文 2013-07-19 04:18:36 6 3 mysql/ hash/ passwords

I'm writing my own code similar to phpMyAdmin.我正在编写自己的类似于 phpMyAdmin 的代码。 But I'll need the user to be able to sign on using their username and password from the mysql database.但是我需要用户能够使用 mysql 数据库中的用户名和密码进行登录。 I need to know what kind of hash the mysql database uses to store each users password.我需要知道 mysql 数据库使用什么样的哈希来存储每个用户的密码。 I checked dev.mysql.com for answers but couldnt find anything, other than its the newer 41 byte hash beginning with an *.我检查了 dev.mysql.com 的答案，但找不到任何东西，除了以 * 开头的较新的 41 字节哈希。

3 个解决方案

Not sure, what exactly your question is aiming at, but if you want to know how MySQL encrypts passwords stored in the user table read here in the manual :不确定，您的问题究竟针对什么，但是如果您想知道 MySQL 如何加密存储在用户表中的密码，请阅读手册中的此处：

MySQL encrypts passwords stored in the user table using its own algorithm. MySQL 使用自己的算法加密存储在用户表中的密码。 This encryption is the same as that implemented by the PASSWORD() SQL function but differs from that used during the Unix login process.这种加密与PASSWORD() SQL 函数实现的加密相同，但与 Unix 登录过程中使用的加密不同。 Unix password encryption is the same as that implemented by the ENCRYPT() SQL function. Unix 密码加密与ENCRYPT() SQL 函数实现的相同。 See the descriptions of the PASSWORD() and ENCRYPT() functions in Section 12.13 , “Encryption and Compression Functions”.请参阅第 12.13 节“加密和压缩函数”中对PASSWORD()和ENCRYPT()函数的描述。

From version 4.1 on, MySQL employs a stronger authentication method that has better password protection during the connection process than in earlier versions.从 4.1 版本开始，MySQL 使用更强大的身份验证方法，在连接过程中具有比早期版本更好的密码保护。 It is secure even if TCP/IP packets are sniffed or the mysql database is captured.即使 TCP/IP 数据包被嗅探或 mysql 数据库被捕获，它也是安全的。 (In earlier versions, even though passwords are stored in encrypted form in the user table, knowledge of the encrypted password value could be used to connect to the MySQL server.) Section 6.1.2.4, “Password Hashing in MySQL” , discusses password encryption further. （在早期版本中，即使密码以加密形式存储在用户表中，加密密码值的知识可用于连接到 MySQL 服务器。）第 6.1.2.4 节，“MySQL 中的密码散列” ，讨论密码加密进一步。

I don't think you will be able to decrypt password stoed in MySQL table and it's of no use using password which is stored in mysql .我认为您无法解密 MySQL 表中存储的密码，并且使用存储在mysql密码也没有用。 user table. user表。

You should be using password that is being set when User is created in your application, If you have lost password of users then you can reset it using mysqladmin您应该使用在应用程序中创建User时设置的密码，如果您丢失了用户密码，则可以使用mysqladmin重置它

SET PASSWORD FOR 'user-name-here'@'hostname-name-here' = PASSWORD('new-password-here');为'用户名-此处'@'主机名-名-此处'设置密码 = PASSWORD('新密码-此处');

MySQL 4.1+ uses a double SHA-1 hash (With the inner hash outputting raw data, not hex), the older versions seems to use a non-standard hash. MySQL 4.1+ 使用双SHA-1散列（内部散列输出原始数据，而不是十六进制），旧版本似乎使用非标准散列。

(There are PHP implementations of both in the answers to this question ) （在这个问题的答案中有两者的 PHP 实现）

Unless you have a good reason to use them (compatibility with MySQL passwords / legacy code seems to be the only good reasons), you should be using bcrypt / PBKDF2 / scrypt for hashing passwords.除非您有充分的理由使用它们（与 MySQL 密码/遗留代码的兼容性似乎是唯一的好理由），否则您应该使用 bcrypt / PBKDF2 / scrypt 对密码进行散列。