MySQL password function

Question

Is it considered good or bad practice to use MySQL\'s password function to hash passwords used by an application? I can see pros and cons. I\'m curious if there is a gener

Answer 1

I believe the actual PASSWORD function in MySQL is insecure, and has been broken, but I can't find a link at the moment. I know the older one (OLD_PASSWORD in 5 and up) is definitely insecure.

Of course, all passwords should always be stored with a salt (for further obscurity). Example:

UPDATE users SET password=MD5(CONCAT('salt', 'user provided value')) WHERE id=54

There is also the MD5 function, but with the rise of colossal rainbow tables, it's not 100% reliable as a way of completely obfuscating stored passwords.

A better method is hashing the password (with a salt) before it reaches the database. Example: