MariaDB: Default password authentication not good enough?












1















I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.



By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).



However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.



Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?










share|improve this question





























    1















    I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.



    By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).



    However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.



    Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?










    share|improve this question



























      1












      1








      1








      I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.



      By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).



      However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.



      Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?










      share|improve this question
















      I've been researching for a couple of hours the "best practice" to create a second account for the mysql database using password authentication instead of the auth_socket / unix_socket.



      By this guide safest and permanent solution to create a new user mariadb, the authentication uses no plugin. In other guides, people add the mysql_native_password as the plugins (e.g. here).



      However, by the mariadb documentations about mysql_native_password, they recommend to use ed25519 plugin instead. I have not seen a single guide online to use this one with mariadb.



      Now, which authentication method/plugin should is use and whats the big differenece between the no plugin and ed25519?







      mysql password authentication plugins mariadb






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 19 at 11:42







      Tanckom

















      asked Feb 19 at 11:15









      TanckomTanckom

      1085




      1085






















          1 Answer
          1






          active

          oldest

          votes


















          1














          As per your ed25519 plugin link:




          MySQL has used SHA-1 based authentication since version 4.1. Since
          MariaDB 5.2 this authentication plugin has been called
          mysql_native_password. Over the years as computers became faster, new
          attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
          considered as secure as it was in 2001. That's why the ed25519
          authentication plugin was created.



          The ed25519 authentication plugin uses Elliptic Curve Digital
          Signature Algorithm to securely store users' passwords and to
          authenticate users. The ed25519 algorithm is the same one that is used
          by OpenSSH. It is based on the elliptic curve and code created by
          Daniel J. Bernstein.




          If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.



          By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.






          share|improve this answer


























          • I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

            – Tanckom
            Feb 19 at 12:17











          • I have amended my answer.

            – thecarpy
            Feb 19 at 13:49











          • This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

            – Tanckom
            Feb 19 at 14:33











          • In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

            – thecarpy
            Feb 21 at 21:18











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1119492%2fmariadb-default-password-authentication-not-good-enough%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          As per your ed25519 plugin link:




          MySQL has used SHA-1 based authentication since version 4.1. Since
          MariaDB 5.2 this authentication plugin has been called
          mysql_native_password. Over the years as computers became faster, new
          attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
          considered as secure as it was in 2001. That's why the ed25519
          authentication plugin was created.



          The ed25519 authentication plugin uses Elliptic Curve Digital
          Signature Algorithm to securely store users' passwords and to
          authenticate users. The ed25519 algorithm is the same one that is used
          by OpenSSH. It is based on the elliptic curve and code created by
          Daniel J. Bernstein.




          If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.



          By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.






          share|improve this answer


























          • I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

            – Tanckom
            Feb 19 at 12:17











          • I have amended my answer.

            – thecarpy
            Feb 19 at 13:49











          • This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

            – Tanckom
            Feb 19 at 14:33











          • In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

            – thecarpy
            Feb 21 at 21:18
















          1














          As per your ed25519 plugin link:




          MySQL has used SHA-1 based authentication since version 4.1. Since
          MariaDB 5.2 this authentication plugin has been called
          mysql_native_password. Over the years as computers became faster, new
          attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
          considered as secure as it was in 2001. That's why the ed25519
          authentication plugin was created.



          The ed25519 authentication plugin uses Elliptic Curve Digital
          Signature Algorithm to securely store users' passwords and to
          authenticate users. The ed25519 algorithm is the same one that is used
          by OpenSSH. It is based on the elliptic curve and code created by
          Daniel J. Bernstein.




          If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.



          By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.






          share|improve this answer


























          • I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

            – Tanckom
            Feb 19 at 12:17











          • I have amended my answer.

            – thecarpy
            Feb 19 at 13:49











          • This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

            – Tanckom
            Feb 19 at 14:33











          • In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

            – thecarpy
            Feb 21 at 21:18














          1












          1








          1







          As per your ed25519 plugin link:




          MySQL has used SHA-1 based authentication since version 4.1. Since
          MariaDB 5.2 this authentication plugin has been called
          mysql_native_password. Over the years as computers became faster, new
          attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
          considered as secure as it was in 2001. That's why the ed25519
          authentication plugin was created.



          The ed25519 authentication plugin uses Elliptic Curve Digital
          Signature Algorithm to securely store users' passwords and to
          authenticate users. The ed25519 algorithm is the same one that is used
          by OpenSSH. It is based on the elliptic curve and code created by
          Daniel J. Bernstein.




          If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.



          By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.






          share|improve this answer















          As per your ed25519 plugin link:




          MySQL has used SHA-1 based authentication since version 4.1. Since
          MariaDB 5.2 this authentication plugin has been called
          mysql_native_password. Over the years as computers became faster, new
          attacks on SHA-1 were being developed. Nowadays SHA-1 is no longer
          considered as secure as it was in 2001. That's why the ed25519
          authentication plugin was created.



          The ed25519 authentication plugin uses Elliptic Curve Digital
          Signature Algorithm to securely store users' passwords and to
          authenticate users. The ed25519 algorithm is the same one that is used
          by OpenSSH. It is based on the elliptic curve and code created by
          Daniel J. Bernstein.




          If security is a concern to you and it should, I would follow MariaDB best pratice and use the ed25519 plugin.



          By default, without any plugin, Mariadb uses a sha1(sha1("password")), well actually SHA1(UNHEX(SHA1("this_is_a_random_string"))), and sha1 is unsafe. As usual, follow best practice, use the ed25519 plugin - if there is a best practice concerning security, follow it, there usually is a good reason - nobody is gonna write up a best practice for something if there is not a good reason.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 19 at 13:48

























          answered Feb 19 at 11:56









          thecarpythecarpy

          23626




          23626













          • I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

            – Tanckom
            Feb 19 at 12:17











          • I have amended my answer.

            – thecarpy
            Feb 19 at 13:49











          • This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

            – Tanckom
            Feb 19 at 14:33











          • In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

            – thecarpy
            Feb 21 at 21:18



















          • I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

            – Tanckom
            Feb 19 at 12:17











          • I have amended my answer.

            – thecarpy
            Feb 19 at 13:49











          • This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

            – Tanckom
            Feb 19 at 14:33











          • In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

            – thecarpy
            Feb 21 at 21:18

















          I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

          – Tanckom
          Feb 19 at 12:17





          I've also read that part, but this is the mysql_native_password plugin. My big question is about the non-plugin-method.

          – Tanckom
          Feb 19 at 12:17













          I have amended my answer.

          – thecarpy
          Feb 19 at 13:49





          I have amended my answer.

          – thecarpy
          Feb 19 at 13:49













          This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

          – Tanckom
          Feb 19 at 14:33





          This explains a lot, however, eventough that ed25519 should be used, it's not supported by phpmyadmin.

          – Tanckom
          Feb 19 at 14:33













          In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

          – thecarpy
          Feb 21 at 21:18





          In that case you should use the potentially unsafe password scheme for the phpadmin user. alter user 'username'@'localhost' identified with mysql_native_password by 'password'; not ideal, but if you have to use phpadmin, no other choice, for the moment ...

          – thecarpy
          Feb 21 at 21:18


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1119492%2fmariadb-default-password-authentication-not-good-enough%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀