Why is the old mysql password function considered insecure

I know that the old mysql password function (pre-4.1) is considered insecure, but I'm not sure why. What are the specific reasons that it开发者_如何学运维's considered insecure?

---

According to the MySQL docs on password hashing:

The password hashing mechanism was updated in MySQL 4.1 to provide better security and to reduce the risk of passwords being intercepted.

I'm not sure if it means anything additional by "reduce the risk of passwords being intercepted" or if it just means they're harder to crack, but the major difference is the size of the resulting hash.

Prior to 4.1, the hash size was 16 bytes.
As of 4.1+, the hash size is 41 bytes (* + 40 bytes).

A 16-byte hash is pretty small and easy to find collisions for, relative to larger hash functions. MD5 is generally considered to be of insufficient strength, and it yields twice that -- 32 bytes. Comparably, 16 bytes is basically pathetic. For comparison:

pre-4.1 MySQL PASSWORD:  16 bytes  
                   MD5:  32 bytes
                 SHA 1:  40 bytes
   4.1+ MySQL PASSWORD:  41 bytes (40 bytes, prepended with an asterisk)
               SHA-256:  64 bytes
               SHA-512: 128 bytes

The new password hashing scheme is on par with SHA-1, which is slightly better than MD5 but still not of sufficient strength to be recommended for passwords.

---

According to: Old MySQL password cracking

Using the old password format a 16 byte hash is created such as:

6f8c114b58f2ce9e

For the same password the MySQL4.1 hash is 41 bytes long:

*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4

On the surface it might seem that this extra level of security granted by using the new passwords might not be significant. However, source code has been released under the creative common license which allows very quick cracking of old MySQL password.

The password ‘a@4~1b’ has a hash of 2c28061c5bda971d.

Using the cracking program mentioned above, this password can be cracked in under 1 second on a 2 year old laptop.

By using a SQL injection attack it might be possible for a user without permission to view your my.cnf file. Entering this in a search box could render the contents of the file in the browser if the second param in the select statement was being shown on the screen and not escaped correctly:

something’ UNION ALL SELECT 1,(SELECT LOAD_FILE(‘/etc/my.cnf’)),3,4,5,password FROM user ORDER BY ’7

If an unauthorised user is able to intercept your hashed passwords it is very easy to brute force them and obtain the plain text passwords. Complex passwords are still hard to crack, but an 8 character password will take very little time.

Since the changes to the length of the MySQL password hash, it is much harder to brute force the hashes.