Are the passwords in that system mysql user accounts (residing in the mysql.user table) or are they application user accounts?

*Iff* they are mysql user accounts and the hashes are encoded using the "new" password hash function (5.7's old_passwords was set to 0) you can still use the hashes to authenticate the users via the mysql_native_password authentication method even in 8.0.

If the hashes are using the old (pre-4.1) hash (old_passwords=1) you're out of luck aside from creating your own authentication plugin that would deal with old hashes.

Of course I wouldn't recommend any of that since both "native" and "old" use SHA1 and that's been known to be very weak for some time now.

Thus, instead of trying to find ways to prolong the use of insecure hashes I would just take the hit and ask the users to go in and change their passwords.

Note that mysql 8.0 offers a tool that you can use to force them to do that. Check the PASSWORD EXPIRE clause of CREATE/ALTER USER: https://dev.mysql.com/doc/refman/8.0/en/create-user.html

Besides, if you're really set on having the PASSWORD() function you can actually make it into a UDF. The algorithms used are published in the doxygen manual: https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_authentication_methods.html

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria