-1

My input-form and mysql database was encoded in LATIN

When I change completely to UTF-8, I am unable to change the passwords in the database (they are coded). I assume, if people used special chars in their password, and the new login form is UTF-8, they will be locked out. Correct? (for example if they used and ä letter)

Solution? I could probaby try to double-check their login pwd (wheny they try to log-in) against a LATIN-conversion of their input... and if that matches, I automatically re-set their password again with the UTF8 input.

Is that the way to go?

bodomalo
  • 153
  • 1
  • 1
  • 11
  • If you’re storing *hashed* passwords anyway, like you’re supposed to, this should be a nonissue. – deceze Dec 28 '18 at 20:43
  • are you sure? The user types in a password like "Müller" in LATIN, this gets hashed and stored Then I change the character setting of the password-form to utf-8 , he types in Müller, and that ü becomes a different character, so the hash does not match with the stored hash. No? I think so... – bodomalo Dec 29 '18 at 21:33
  • I see what you're worried about now. Yes, that would indeed be a concern. So explicitly convert the password to latin1, so you continue to treat it in the "legacy" way. Perhaps keep a flag on the user's account in the database whether to use legacy password checking or not, and upgrade user's passwords over time while they log in. – deceze Dec 29 '18 at 22:08

1 Answers1

0

The table mysql.user is what you are asking about? Or is this some newer plugin?

The passwords in that table are not the actual passwords, but rather they are fed through a 1-way encryption, then stored in text that is compatible with ascii, latin1, and utf8. Don't worry about that column in that table.

If you are doing your own password management, then you have left out several bits of information. Do you connect as utf8 or latin1? Let's see SHOW CREATE TABLE. Do you store the pwd without encrypting (thereby being more vulnerable)?

And how did you convert your tables? There are several wrong ways. I recommend you check them now, before the mess gets worse. Store a non-ascii character in some table, then do SELECT col, HEX(col) FROM ...; we can see whether it is being stored correctly as opposed to "double-encoded" or other nasty. More discussion

Rick James
  • 135,179
  • 13
  • 127
  • 222
  • I think it is impossible to convert a hashed password in a table. I am not talking about mysql.user , I write about my own user table with stored passwords (hashed) – bodomalo Dec 29 '18 at 21:36
  • Then your pwd column should be `BINARY(..)` or some other non-text datatype. Or you should convert the hash to hex or base64 so that text won't choke. – Rick James Dec 30 '18 at 19:32