Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 1.2Mb
PDF (A4) - 1.2Mb
EPUB - 311.6Kb
HTML Download (TGZ) - 271.8Kb
HTML Download (Zip) - 281.4Kb

Security in MySQL  /  ...  /  The Old Native Authentication Plugin

7.1.2 The Old Native Authentication Plugin

MySQL includes two plugins that implement native authentication; that is, authentication against passwords stored in the Password column of the mysql.user table. This section describes mysql_old_password, which implements authentication against the mysql.user table using the older (pre-4.1) password hashing method. For information about mysql_native_password, which implements authentication using the native password hashing method, see Section 7.1.1, “The Native Authentication Plugin”. For information about these password hashing methods, see Section 2.2.4, “Password Hashing in MySQL”.


Passwords that use the pre-4.1 hashing method are less secure than passwords that use the native password hashing method and should be avoided. Pre-4.1 passwords are deprecated and support for them (including the mysql_old_password plugin) is removed in MySQL 5.7.5. For account upgrade instructions, see Section 7.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.

The mysql_old_password native authentication plugin is backward compatible. Clients older than MySQL 5.5.7 do not support authentication plugins but do use the native authentication protocol, so they can connect to servers from MySQL 5.5.7 and up.

The following table shows the plugin names on the server and client sides.

Table 7.2 MySQL Old Native Authentication Plugin

Server-side plugin namemysql_old_password
Client-side plugin namemysql_old_password
Library file nameNone (plugins are built in)

The plugin exists in both client and server form:

  • The server-side plugin is built into the server, need not be loaded explicitly, and cannot be disabled by unloading it.

  • The client-side plugin is built into the libmysqlclient client library as of MySQL 5.5.7 and available to any program linked against libmysqlclient from that version or newer.

  • MySQL client programs can use the --default-auth option to specify the mysql_old_password plugin as a hint about which client-side plugin the program can expect to use:

    shell> mysql --default-auth=mysql_old_password ...

If an account row specifies no plugin name, the server authenticates the account using either the mysql_native_password or mysql_old_password plugin, depending on whether the password hash value in the Password column used native hashing or the older pre-4.1 hashing method. Clients must match the password in the Password column of the account row. As of MySQL 5.7.2, the server requires the plugin value to be nonempty, and as of 5.7.5, support for mysql_old_password is removed.

For general information about pluggable authentication in MySQL, see Section 5.8, “Pluggable Authentication”. For information about setting up proxy users, see Section 5.9, “Proxy Users”.

User Comments
Sign Up Login You must be logged in to post a comment.