Updating MySQL Pre-4.1 Password Hashes to be MySQL 5.6 Compatible

Published on: October 17, 2014
Difficulty: Easy

The post title may sound complicated, but it actually deals with a very simple problem and an even easier solution.

What are password hashes?

It is insecure to store plain text passwords in the password database.

Sure it would be easy to programmatically check “does the password provided match what is in the database?”, but then if anyone got a hold of the information in that database, your password would be immediately known and exploitable. Insecure code could result in those values being printed directly to an attacker.

The solution to this unsafe practice is to hash the password. As it was well put in a stackoverflow response:

Hashing a password will take a clear text string and perform an algorithm on it (depending on the hash type) to get a completely different value. This value will be the same every time, so you can store the hashed password in a database and check the user’s entered password against the hash.

The idea here is that even if your password hash is exposed through some hole in the software, your original password is still safe and unknown.

What are “MySQL pre4.1” password hashes?

Back in the day, MySQL used a simple hashing method for passwords. We can replicate it today by specifying that we want to use the “old_passwords” format:

root@dime174.dizinc.com: ~
# mysql -e "set @@session.old_passwords=1; select Password('mycomplexpass');"
+---------------------------+
| Password('mycomplexpass') |
+---------------------------+
| 6e8623f36140a64c |
+---------------------------+

We can see from the above output that mycomplexpass results in the hash 6e8623f36140a64c

Today’s password hashes are far more complex and offer significantly more security against hackers:

root@dime174.dizinc.com: ~
# mysql -e "select Password('mycomplexpass')"
+-------------------------------------------+
| Password('mycomplexpass') |
+-------------------------------------------+
| *56ADA1CE6FCAE5EC592761396017D33E2B29AC55 |
+-------------------------------------------+

It is more secure because of the hash length and the stronger algorithm used to generate it. This new hash style is attractive on its own, but there is actually a pressing need to get updated to this new format.

MySQL 5.6 Compatibility and secure_auth

Users with old sites, or servers that had “old_passwords” enabled in MySQL still used the old style of password hash for their MySQL users. The more complex hashing process was the default method after MySQL version 4.1, but it was not until MySQL 5.6 that there was a strict requirement to use the newer hash type. Because of this strictly enforced requirement, it is now mandatory to use the new style of password hash and rightly so given the insecurity of the old style.

HostDime has updated most of the hashes already

In an effort to assist our clients, we have gone through all of our shared servers and programmatically updated the hashes for any password we could find in plain text within a configuration file. If you have a WordPress site, any other popular CMS, or even hand coded site, it is very likely that we were able to find a working password and use it to automatically regenerate your hash using the new style hash for that MySQL user.

However, there may still be some users that we were unable to automatically fix. If you still have a MySQL user with an old MySQL hash, you will need to update it.

Where do I find my current password?

The MySQL database username and password for your website is stored in its configuration file. This can be found in your webspace root (through FTP or cPanel’s file manager).

For example: If you have a WordPress site at mydomain.com/blog, you can likely find your configuration file at /home/myuser/public_html/blog/wp-config.php:

define('DB_USER', 'mycpaneluser_wp123');
define('DB_PASSWORD', '7Py2o7RS%');

From the above, we can see that your database username is mycpaneluser_wp123 and the password is 7Py2o7RS%

If you are unable to find your password, our technicians can likely find it for you. To speed up the process, it is ideal to have cPanel open when contacting us so we can quickly get your password reset.

Updating your MySQL pre4.1 password hashes to be MySQL 5.6 compatible

When you have found your username and password, it is time to update to the modern hash format. To do this, we simply “change” the password using the one already in place. Because all of our servers are now configured to use the new hash format by default, setting it back to the same password will replace the old hash with the new one. Same password, new hash.

To reset your password, first log into cPanel. There are two places to reset a MySQL user password:

1) If you are updating the cPanel user itself:

cPanel users have a MySQL user linked to them. To update the password hash for this account, simply reset your password with the “Change Password” function in cPanel. First set your password to something else, then change it back. This will effectively reset the cPanel MySQL user and use the new style of hash. The interface may change from server to server, but the below is kind of what you are looking for:

hashupdate-1

2) For the other MySQL users:

Navigate to the “MySQL databases” tool.

mysqldatabases

For each MySQL user that needs to be updated, click “Set Password” and update the password.

hashupdate-2

The tool may differ between servers. On some, you may need to delete the account and remake it with the same password. In any case, this will use the new style hash and that user will be MySQL 5.6 compatible!

If you run into any trouble with this process, we are available 24/7/365 to help through phone, chat or ticket.



Back To Top