List:General Discussion« Previous MessageNext Message »
From:Lowell Allen Date:November 24 2005 1:58pm
Subject:Re: 4.1 password problem
View as plain text  
Felix Geerinckx wrote:
> On 24/11/2005, Lowell Allen wrote:
> 
>>but I'm looking for a way to convert the short hash values into 
>>comparable long hash values. 
> 
> This is (fortunately) *not* possible.
> 
>>Apparently the upgrade procedure can successfully convert
>>short-to-long hash values for MySQL user passwords 
> 
> It doesn't. It uses the old method for old passwords and the new one
> for new passwords. Look up the OLD_PASSWORD() function.
> 
>>Any practical advice greatly appreciated.
> 
> You can use OLD_PASSWORD() for old passwords (16 chars) and PASSWORD()
> for new passwords (41 chars, starting with a '*').
> 
> Since you are receiving the password from the user when he/she logs in,
> you can add some logic to your login procedure to change the password
> to the new hashing.

That seems like very good advice, thanks. Is there a proactive way to 
deal with this problem on servers that haven't been upgraded to 4.1 yet? 
Like changing the login to use OLD_PASSWORD() and writing to a new 
password field with an encryption function? In other words, something 
that would work pre-4.1 and also post-4.1. (Just writing 
conversationally, I'll check into it myself.)
> 
> 
> P.S.: This is exactly why MySQL AB advises against the use of
> PASSWORD() for your own authentication.

I missed that advisement completely, but I would have prefered a new 
name for a new function instead of changing the results of an existing 
function.

--
Lowell Allen
> 

Thread
4.1 password problemLowell Allen24 Nov
  • Re: 4.1 password problemFelix Geerinckx24 Nov
    • Re: 4.1 password problemLowell Allen24 Nov