Felix Geerinckx wrote:
> On 24/11/2005, Lowell Allen wrote:
>
>>but I'm looking for a way to convert the short hash values into
>>comparable long hash values.
>
> This is (fortunately) *not* possible.
>
>>Apparently the upgrade procedure can successfully convert
>>short-to-long hash values for MySQL user passwords
>
> It doesn't. It uses the old method for old passwords and the new one
> for new passwords. Look up the OLD_PASSWORD() function.
>
>>Any practical advice greatly appreciated.
>
> You can use OLD_PASSWORD() for old passwords (16 chars) and PASSWORD()
> for new passwords (41 chars, starting with a '*').
>
> Since you are receiving the password from the user when he/she logs in,
> you can add some logic to your login procedure to change the password
> to the new hashing.
That seems like very good advice, thanks. Is there a proactive way to
deal with this problem on servers that haven't been upgraded to 4.1 yet?
Like changing the login to use OLD_PASSWORD() and writing to a new
password field with an encryption function? In other words, something
that would work pre-4.1 and also post-4.1. (Just writing
conversationally, I'll check into it myself.)
>
>
> P.S.: This is exactly why MySQL AB advises against the use of
> PASSWORD() for your own authentication.
I missed that advisement completely, but I would have prefered a new
name for a new function instead of changing the results of an existing
function.
--
Lowell Allen
>
