In an effort to increase security and ensure that all our client's data and settings are up to par with current standards, we have phased out the old 16 byte hash for MySQL database passwords and instead replaced it with a much more secure 41 byte hash.
If your database driven website starts throwing you the following error message: MySQL Errors - You must SET PASSWORD/Password should be a 41-digit hexadecimal number; then you will have to reset it to meet the new standard through your cPanel or Plesk account.
You can reset the password using your existing password, to reduce the chances of conflict (i.e. "p@$$w0rd"). Simply access your control panel and under databases, scroll down to users and click on "Change Password". You can use your same password on the respective fields (but if possible, we suggest you make it stronger). By doing this, your connection strings will remain the same for your website, however the password format will change from the old 16 byte hash to the new 41 byte hash.
The complete phase out of Hash16 will occur during the month of August 2018. If you have not changed your old password to the new hash, access to your site may be interrupted with the various error messages.
If you created your database or updated your MySQL user passwords for a separate reason, after January 2016 you can safely ignore this message. Everyone else may need to double check. The migration started back in 2011 but the extensive usage of this old hash forced us to keep it for existing databases up until now.
You can follow the complete cPanel password tutorial here: cPanel Change Current User Password
For users with an affected MySQL password hash, you should have received an automated email explaining the procedure.
Little extra explanation:
| Type | Bytes | Detail | |
|---|---|---|---|
| pre-4.1 MySQL | Password | 16 | |
| MD5 | 32 | ||
| SHA-1 | 40 | ||
| 4.1+ MySQL | Password | 41 | 40 bytes, prepended with an asterisk (*) |
| SHA-256 | 64 | ||
| SHA-512 | 128 | ||
Let's assume you have a password set as P@s$w0rD.
Basically, using the old 16 byte hash format for the above password, you'd have a short hexadecimal string of 16 characters long: 3686290e58cc49d1
Where as the new 41 byte hash creates a longer, 40 character long hash, preceded by an asterisk that is much harder to crack: *79264EA9BD0A4608AB5CEE0A6CC7230374A19517
A word of warning: While the above example can be considered a secure password, please don't use it as it is easy to crack because of how commonly used it surprisingly is! Try to stay away from dictionary-type combinations, and instead try to make them more random or harder to figure out.
While the new hash seems to have a heightened level of security, someone who really wants to hurt you, could potentially crack your password (this is true regardless of the byte level used). This will potentially allow them to do a MySQL injection attack and other damage, but with a complex password using mixed combinations with numbers, letters and special characters could make it extremely difficult to attack you. For this reason, a stronger hash of an already very strong password will make it much harder to brute force your hashes and harm you. We know we were being redundant, but that's just how important this is.
Further Assistance:
If you have further questions or need assistance with the update, please contact our support department.
Thank you for choosing BZVweb for your Professional Hosting Needs!
