{"id":3297,"date":"2011-02-28T15:50:52","date_gmt":"2011-02-28T13:50:52","guid":{"rendered":"http:\/\/code.openark.org\/blog\/?p=3297"},"modified":"2011-03-01T19:24:46","modified_gmt":"2011-03-01T17:24:46","slug":"upgrading-passwords-from-old_passwords-to-new-passwords","status":"publish","type":"post","link":"https:\/\/code.openark.org\/blog\/mysql\/upgrading-passwords-from-old_passwords-to-new-passwords","title":{"rendered":"Upgrading passwords from old_passwords to &#8220;new passwords&#8221;"},"content":{"rendered":"<p>You have <strong>old_passwords=1<\/strong> in your <strong>my.cnf<\/strong>. I&#8217;m guessing this is because you used one of the <strong>my-small.cnf<\/strong>, <strong>my-large.cnf<\/strong> etc. templates provided with your MySQL distribution.<\/p>\n<p>These files can easily win the &#8220;most outdated sample configuration file contest&#8221;.<\/p>\n<p>Usually it&#8217;s no big deal: if some parameter isn&#8217;t right, you just go and change it. Some variables, though, have a long-lasting effect, and are not easily reversed.<\/p>\n<h4>What&#8217;s the deal with old_passwords?<\/h4>\n<p>No one should be using these anymore. This variable makes the password hashing algorithm compatible with that of MySQL <strong>4.0<\/strong>. I&#8217;m pretty sure <strong>4.0<\/strong> was released <strong>9<\/strong> years ago. I don&#8217;t know of anyone still using it (or <strong>4.0<\/strong> client libraries).<\/p>\n<p>The deal is this: with old_passwords you get a <strong>16<\/strong> hexadecimal digits (<strong>64<\/strong> bit) hashing of your passwords. With so called <em>&#8220;new passwords&#8221;<\/em> you get <strong>40<\/strong> hexadecimal digits (plus extra &#8220;<strong>*<\/strong>&#8220;). So this is about better encryption of your password. Read more on the <a href=\"http:\/\/dev.mysql.com\/doc\/refman\/5.1\/en\/password-hashing.html\">manual<\/a>.<\/p>\n<h4>How do I upgrade to new password format?<\/h4>\n<p>You can&#8217;t just put a comment on the &#8220;<strong>old_passwords=1<\/strong>&#8221; entry in the configuration file. If you do so, the next client to connect will attempt to match a <strong>41<\/strong> characters hashed password to your existing <strong>16<\/strong> characters entry in the <strong>mysql.users<\/strong> table. So you need to make a simultaneous change: both remove the <strong>old_passwords<\/strong> entry and set a new password. You must know all accounts&#8217; passwords before you begin.<\/p>\n<p><!--more-->Interestingly, <strong>old_passwords<\/strong> is both a global and a session variable. To work out an example, let&#8217;s assume the account <strong>&#8216;webuser&#8217;@&#8217;localhost&#8217;<\/strong> enters with &#8216;123456&#8217;. Take a look at the following:<\/p>\n<blockquote>\n<pre>root@mysql-5.1.51&gt; SET SESSION old_passwords=0;\r\nQuery OK, 0 rows affected (0.00 sec)\r\n\r\nroot@mysql-5.1.51&gt; SELECT PASSWORD('123456');\r\n+-------------------------------------------+\r\n| PASSWORD('123456')\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n+-------------------------------------------+\r\n| *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |\r\n+-------------------------------------------+\r\n1 row in set (0.00 sec)\r\n\r\nroot@mysql-5.1.51&gt; SET SESSION old_passwords=1;\r\nQuery OK, 0 rows affected (0.00 sec)\r\n\r\nroot@mysql-5.1.51&gt; SELECT PASSWORD('123456');\r\n+--------------------+\r\n| PASSWORD('123456') |\r\n+--------------------+\r\n| 565491d704013245\u00a0\u00a0 |\r\n+--------------------+\r\n1 row in set (0.00 sec<\/pre>\n<\/blockquote>\n<p>So, the <strong>PASSWORD()<\/strong> function consults the <strong>old_passwords<\/strong> session variable.<\/p>\n<p>To upgrade <strong>&#8216;webuser&#8217;@&#8217;localhost&#8217;<\/strong>&#8216;s password we do:<\/p>\n<blockquote>\n<pre>root@mysql-5.1.51&gt; SET SESSION old_passwords=0;\r\nQuery OK, 0 rows affected (0.00 sec)\r\n\r\nroot@mysql-5.1.51&gt; SET PASSWORD FOR 'webuser'@'localhost' = PASSWORD('123456')<\/pre>\n<\/blockquote>\n<p>Go ahead and see the <strong>password<\/strong> entry on the <strong>mysql.users<\/strong> table.<\/p>\n<p>What we&#8217;ve just done is to set a <strong>41<\/strong> characters password hash for that account. Now, the next time the client wishes to connect, it must know in advance it is to expect a new password, otherwise it will encode a <strong>16<\/strong> characters hash, and try to match it with our new <strong>41<\/strong> characters hash. It is now time to perform:<\/p>\n<blockquote>\n<pre>root@mysql-5.1.51&gt; SET GLOBAL old_passwords=0;\r\nQuery OK, 0 rows affected (0.00 sec<\/pre>\n<\/blockquote>\n<p>This will apply to all new connections made from that moment on (not affecting any existing connections). So, make sure you have updated passwords for all accounts.<\/p>\n<p>To wrap it up, don&#8217;t forget to set <strong>old_passwords=0<\/strong> in the <strong>my.cnf<\/strong> file, or, better yet, completely remove the entry.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You have old_passwords=1 in your my.cnf. I&#8217;m guessing this is because you used one of the my-small.cnf, my-large.cnf etc. templates provided with your MySQL distribution. These files can easily win the &#8220;most outdated sample configuration file contest&#8221;. Usually it&#8217;s no big deal: if some parameter isn&#8217;t right, you just go and change it. Some variables, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[5],"tags":[11,16],"class_list":["post-3297","post","type-post","status-publish","format-standard","hentry","category-mysql","tag-configuration","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2bZZp-Rb","_links":{"self":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/3297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/comments?post=3297"}],"version-history":[{"count":9,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/3297\/revisions"}],"predecessor-version":[{"id":3336,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/3297\/revisions\/3336"}],"wp:attachment":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/media?parent=3297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/categories?post=3297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/tags?post=3297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}