[thelist] md5 hashed password problem

Phil Turmel pturmel-webdev at turmel.org
Wed Aug 15 22:04:07 CDT 2007


Bob Meetin - 303-926-0167 - www.dottedi.biz wrote:
> Thank you so much- we have blast off.  I need to write up some steps to 
> turn this into a conversion-type routine, but the result was that it 
> woks to authenticate and grant access.  I think what i need to do is
> 
> 1) set old password off for original members and authenticate,
> 2) capture the password that they entered to successfully authenticate,
> 3) convert to the new scheme, and
> 4) change them from flagged, historic to regular. 
> 
> Or something thereabouts. Unless I am missing something it seems that I 
> should be able to add a password flag field to the members table and use 
> an if/else to update this field. Sorry Hassan but this is not ugly and 
> annoying to me, more like a life-saver as well as a learning 
> experience!  I will let y'all know when I have this working.
> 
> Happy Bob
> 
> Hassan Schroeder wrote:
> 
> So, out of curiousity --  per-connection basis
> 
>>> I tried a quick experiment, and it appears that you /can/ set this on a
>>> per-connection basis. So all you have to do is flag the moved-over
>>> users as 'uses_old_passwords', and then when one of them logs in,
>>> do a SET OLD_PASSWORDS="OFF" before the password comparison.
>>>
>>>     
> 
> 
Bob,

Sorry to chime in late. But you are going *backwards*.  The OLD host is
using the NEW password scheme.  Your NEW host is using the OLD password
scheme.  You might want to take MySQL's advice[1] and not use *either*
scheme for your application.  MySQL doesn't guarantee that the new
password scheme won't be changed again later.

I suggest you use the on-the-fly method you've already worked out to
convert all users' passwords to MD5(), so you won't have to do it again
a few years from now.

HTH,

Phil Turmel

[1] Look at the "Note:" in MySQL's docs for PASSWORD():
http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_password



More information about the thelist mailing list