MySQL Forums
Forum List  »  Security

Re: Mysql l8.0 PASSWORD() function
Posted by: Georgi Kodinov
Date: October 29, 2020 01:36AM

Are the passwords in that system mysql user accounts (residing in the mysql.user table) or are they application user accounts?

*Iff* they are mysql user accounts and the hashes are encoded using the "new" password hash function (5.7's old_passwords was set to 0) you can still use the hashes to authenticate the users via the mysql_native_password authentication method even in 8.0.

If the hashes are using the old (pre-4.1) hash (old_passwords=1) you're out of luck aside from creating your own authentication plugin that would deal with old hashes.

Of course I wouldn't recommend any of that since both "native" and "old" use SHA1 and that's been known to be very weak for some time now.

Thus, instead of trying to find ways to prolong the use of insecure hashes I would just take the hit and ask the users to go in and change their passwords.

Note that mysql 8.0 offers a tool that you can use to force them to do that. Check the PASSWORD EXPIRE clause of CREATE/ALTER USER: https://dev.mysql.com/doc/refman/8.0/en/create-user.html

Besides, if you're really set on having the PASSWORD() function you can actually make it into a UDF. The algorithms used are published in the doxygen manual: https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_authentication_methods.html

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote


Subject
Views
Written By
Posted
159
October 19, 2020 08:18AM
Re: Mysql l8.0 PASSWORD() function
76
October 29, 2020 01:36AM


Sorry, only registered users may post in this forum.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.