MySQL Password Hashing
This page describes a technical detail of our MySQL database system that most customers don’t need to worry about. It’s here to assist advanced customers who need to know technical details about how our MySQL servers are set up.
- About hashed passwords
- Hashed password incompatibilities
- Which hashing method does Tiger Technologies use?
- What if I really need a “short hash”?
About hashed passwords
When you create a new MySQL database or change a MySQL database password, the MySQL software doesn’t actually store the password you type. For security it instead stores a “hashed” version of that password.
Current versions of MySQL store the hashed password in a different format than older versions. For example, if you choose the password “mypass”, MySQL stores that as “*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4” (the MySQL documentation calls this a “long hash”) — but older versions stored the same password as “6f8c114b58f2ce9e” (a “short hash”).
Hashed password incompatibilities
The different password hashing formats can cause incompatibilities described on the MySQL password hashing page. In particular:
- Old MySQL client software designed for MySQL versions before 4.1.1 cannot connect to databases that use long hashes.
- New MySQL client software using the “mysqlnd” system introduced in PHP 5.3 cannot connect to databases that use short hashes. (Our PHP installations don’t use mysqlnd, but custom PHP versions you download or build may.)
This presents a problem, because it’s impossible to support both types of clients. The server needs to pick one of these hashing methods and accept the fact that some other clients will not be able to connect.
Which hashing method does Tiger Technologies use?
We use “long hashes” when you create a new database or change the password of an existing database. This makes sure that all current client software, including versions of PHP that use “mysqlnd”, can connect without problems. It also means that very old client software may not be able to connect, though.
We used “short hashes” before November 28, 2011. This usually doesn’t cause any problems. However, if you created a database before that date, and you try to connect to it using a custom version of PHP (perhaps from another company’s server), you may see an error saying “mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication” (in this context, “insecure authentication” means a “short password hash”).
If this happens, you can convert your database to use a “long hash”. Simply “change” your MySQL password and use the same password that the database already has. The same password will be re-saved as a “long hash” instead of a “short hash”.
What if I really need a “short hash”?
If you need your database password saved as a “short hash” so that it’s compatible with very old MySQL client software (and incompatible with some new software), we do provide a way to make that happen.
You first need to calculate the short hash manually from a MySQL command-line connection. Here’s an example of doing that:
mysql> SET old_passwords = ON;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT PASSWORD('mypass');
+--------------------+
| PASSWORD('mypass') |
+--------------------+
| 6f8c114b58f2ce9e |
+--------------------+
1 row in set (0.00 sec)
Once you know the short hash of the password you want to use, “change” your database password and enter the password as crypt:6f8c114b58f2ce9e (using the short hash you calculated instead of “6f8c114b58f2ce9e”, of course). Our control panel will force MySQL to use the part after the “crypt:” as a short hashed password.