Oracle 5.0 Reference Manual page 584

+--------------------+
| PASSWORD('mypass') |
+--------------------+
| 6f8c114b58f2ce9e
+--------------------+
To store account passwords, the
The 4.1 Hashing Method
MySQL 4.1 introduced password hashing that provides better security and reduces the risk of
passwords being intercepted. There were several aspects to this change:
• Different
PASSWORD()
• Widening of the
• Control over the default hashing method
• Control over the permitted hashing methods for clients attempting to connect to the server
The changes in MySQL 4.1 took place in two stages:
• MySQL 4.1.0 used a preliminary version of the 4.1 hashing method. Because this method was so
short lived, the following discussion says no more about it.
• In MySQL 4.1.1, the hashing method was modified to produce a longer 41-byte hash value:
mysql> SELECT PASSWORD('mypass');
+-------------------------------------------+
| PASSWORD('mypass')
+-------------------------------------------+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+-------------------------------------------+
The longer password hash format has better cryptographic properties, and client authentication
based on long hashes is more secure than that based on the older short hashes.
To accommodate longer password hashes, the
this point to be 41 bytes, its current length.
A widened
format of any given hash value can be determined two ways:
• The length: 4.1 and pre-4.1 hashes are 41 and 16 bytes, respectively.
• Password hashes in the 4.1 format always begin with a "*" character, whereas passwords in the
pre-4.1 format never do.
To permit explicit generation of pre-4.1 password hashes, two additional changes were made:
• The
OLD_PASSWORD()
format.
• For compatibility purposes, the
DBAs and applications control over the hashing method. The default
value of 0 causes hashing to use the 4.1 method (41-byte hash values), but setting
old_passwords=1
PASSWORD()
To permit DBAs control over how clients are permitted to connect, the
system variable was added. Starting the server with this variable disabled or enabled permits or
prohibits clients to connect using the older pre-4.1 password hashing method. Before MySQL 5.6.5,
secure_auth
Keeping Passwords Secure
|
Password
[956] function result format
column
Password
column can store password hashes in both the pre-4.1 and 4.1 formats. The
Password
[956] function was added, which returns hash values in the 16-byte
[480] causes hashing to use the pre-4.1 method. In this case,
[956] produces 16-byte values and is equivalent to
[490] is disabled by default. As of 5.6.5,
column of the
|
Password
[480]
old_passwords
secure_auth
564
table was at this point 16 bytes long.
user
column in the
user
system variable was added, to enable
old_passwords
OLD_PASSWORD()
secure_auth
[490] is enabled by default to
table was changed at
[480]
[956]
[490]