My OperaChanged MySQL PASSWORD() implementation in Debian Etch
Thursday, May 31, 2007 7:22:26 PM
Since version 4.1, MySQL has changed its PASSWORD() implementation. The new implementation creates longer password hashes for improved security (see http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html).
However, this makes authentication fail for web sites that use tables containing old-style password hashes, because these are compared to the hashes the new PASSWORD() implementation produces.
The aforementioned MySQL website describes different ways for fixing this problem. The simplest in some cases is to replace all instances of PASSWORD() with OLD_PASSWORD(). Of course you should upgrade as soon as reasonable to the stronger hashes.
As Debian Etch ships with MySQL 5.0, whereas Sarge contained version 4.0, this implementation change has bitten us today during an upgrade.
However, this makes authentication fail for web sites that use tables containing old-style password hashes, because these are compared to the hashes the new PASSWORD() implementation produces.
The aforementioned MySQL website describes different ways for fixing this problem. The simplest in some cases is to replace all instances of PASSWORD() with OLD_PASSWORD(). Of course you should upgrade as soon as reasonable to the stronger hashes.
As Debian Etch ships with MySQL 5.0, whereas Sarge contained version 4.0, this implementation change has bitten us today during an upgrade.
