0

I have a bit of a plight. My mysql 4.1.0 database has to be upgraded (1and1) but it seems the application used PASSWORD() for hashing. With the mysql 5 upgrade PASSWORD() gives an entirely different result as such the passwords can't be correctly read and validated.

OLD_PASSWORD() doesnt seem to encrypt/decrypt to the 4.1.0 version but rather the even earlier 4.0.

What can I do?

jesmaestro
  • 13
  • 1
  • 5
  • found a question that seems very relevant to yours here: http://stackoverflow.com/questions/1892607/mysql-password-hashing-method-old-vs-new / and there's always requiring your users to reset their password for the new system – Joe Jun 11 '13 at 23:38

1 Answers1

0

"For compatibility purposes, the old_passwords system variable was added, to enable DBAs and applications control over the hashing method. The default old_passwords value of 0 causes hashing to use the 4.1 method (41-byte hash values), but setting old_passwords=1 causes hashing to use the pre-4.1 method. In this case, PASSWORD() produces 16-byte values and is equivalent to OLD_PASSWORD()"

I suggest forcing everyone to create a new password, validated via email and a random key, and then store the new passwords with a good method (use something like PHPass or at least bcrypt with salt).

Jessica
  • 7,075
  • 28
  • 39