security - How do you change the hash algorithm in mysql?

Question

I just noticed something about MySql which I haven't noticed before.

If you use any of the MySql hashing functions MD5, SHAx, Password, etc they all seem to return the same hash. This happens across all schemas and databases regardless of their installed instance

I have a local MySql server database, and two others hosted with different internet providers

If I do the following

  select MD5('Password');
  select Sha1('Password');
  select Sha2('Password', 224);
  select Password('Password');

each function will yield the same result across all for that function across all instances of MySql

For example if I do select MD5('Password') it gives this same dc647eb............12b3964 hash for MD5 regardless of on all of my servers. This looks a little bit suspect to me and sounds like a security hole.

Has anyone noticed this and is there anything that can be done about it?

Answer 1

MD5, SHA1 and SHA2 are simple cryptographic hashes that for any given input will, by design, produce exactly the same output. This is how they are intended to be used. You don't want the SHA2 file signature of something to come out differently each time you run the hash. They're also designed to be fast to compute.

You want things like SHA2(x) to always produce the same output for any given x so that if you have a file and a signature you can see if the file has been in any way tampered with by computing the hash and comparing it.

Password-specific hashes like Bcrypt, which you might be thinking of, work differently and produce random output. This makes them way more resistant to brute-force password guessing attacks. They're also designed to be slow, often tens if not millions of times slower than their MD5 or SHA counterpart.

You want, effectively BCRYPT(x) to be random and unpredictable for any given x so that you cannot infer x from the output.

Yes, using MD5 or SHA for passwords is a huge security problem especially if the input is unsalted. Just search for dc647eb65e6711e155375218212b3964 in your favorite search engine and see what comes up: it's instantly "dehashed". You can use a search engine as what used to be termed a Rainbow Table.

SHA and MD5 were used, extensively, for hashing passwords mostly because it was the best option at the time. Computers were also far, far slower, and GPU options didn't exist, so the risk of compromise was vastly reduced. Now tools like Hashcat exist that can crack even "difficult" passwords if someone's careless enough to use a weak hash.