Outdated Authentication Methods

Issue Type

Operational

Problem

MySQL 5.6+

Passwords that use the pre-4.1 hashing method (mysql_old_password) are less secure than passwords that use the native password hashing method and should be avoided. Pre-4.1 passwords are deprecated and support for them (including the mysql_old_password plugin) was removed in MySQL 5.7.5.

MySQL 5.7 Old Native Pluggable Authentication

MySQL 8.0+

In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than `mysql_native_password.

MySQL 8.0 caching_sha2_pluggable

Remediation

There are a number of suggested ways to address this but the most secure option is to set a new password for the user and manually communicate it to the user.

MySQL 5.6+

ALTER USER 'user'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';

You can also ensure they set a new password on first time authentication by passing in PASSWORD EXPIRE as well (this requires them to set a new password on the first time they authenticate.

ALTER USER 'user'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_temporary_password' PASSWORD EXPIRE;

MySQL 8.0+

ALTER USER 'user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'new_password';

You can also ensure they set a new password on first time authentication by passing in PASSWORD EXPIRE as well (this requires them to set a new password on the first time they authenticate.

ALTER USER 'user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'new_temporary_password' PASSWORD EXPIRE;

External Resources

• MySQL 5.7 - Updating Old Authentication Protocol Passwords
• MySQL 5.7 - Account Upgrades
• MySQL 5.7 - System Variables: secure auth
• MySQL 8.0 - caching_sha2_pluggable for MySQL 8.0+