Re: Source of bad password hashing practices? MySQL manual...

[John Haxby <john.haxby () oracle com>]

On 09/10/13 00:57, Rich Felker wrote:
> It's come to my attention recently that the MySQL reference manual is
> recommending very poor password hashing practices as part of its
> security guidelines:
>
>   "Do not store cleartext passwords in your database. If your computer
>   becomes compromised, the intruder can take the full list of
>   passwords and use them. Instead, use SHA2(), SHA1(), MD5(), or some
>   other one-way hashing function and store the hash value."
>
>   (http://dev.mysql.com/doc/refman/5.7/en/security-guidelines.html)
>
> With MySQL being one of the major traditional "LAMP stack" components,
> I wonder if this is the source from which many web developers are
> getting their ideas on how to do password hashing. What is the proper
> procedure for publicizing documentation bugs like this which are
> leading to poor security practice, and for getting them fixed?


I passed on the comments from this message and its replies and they
eventually made their way to the MySQL documentation team and I got this
reply about a week ago:

> Just to let you know that the MySQL documentation team have committed the change based your suggestion and it should 
> show up soon in the MySQL Reference Manual.


jch

(Other than having the same employer I don't have anything to do with
MySQL so I haven't seen the changes.)