hash value different between mysqladmin and password() funciton

Question

I've compiled & installed a mysql-5.1.59 on a x86_64 linux server.

First I set root password in cli and login:

$ bin/mysqladmin -uroot password 'somepass'
$ bin/mysql -uroot -p 'somepass'
mysql>

Login succeed!

Then I created a user using SQL statements:

mysql> grant all privileges on mydb.* to 'myuser'@'localhost' identified by 'somepass';
mysql> flush privileges;

The password is exactly the same as root.

But after I queried:

mysql> select host,user,password from mysql.user;

I noticed that the password values of the two account are not the same. And I tried login mysql with myuser but failed.

By the way if I change the root password this way:

mysql> update mysql.user set password=PASSWORD('somepass') where user='root';
mysql> flush privileges;

Then I can't login mysql with root anymore:

$ bin/mysql -uroot -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

This never happens on my other servers. It seems like the issue has something to do with the os. How could the hashed values different between each other? Thanks!

Answer 1

Although the MySQL documentation is a bit sparse in this area, I would assume it's salting the passwords.

For security, a random value called "salt" is typically added to a password before it is hashed. With the salt, the resulting hash on the same password is very different.

From Wikipedia:

The benefit provided by using a salted password is making a lookup table assisted dictionary attack against the stored values impractical, provided the salt is large enough. That is, an attacker would not be able to create a precomputed lookup table (i.e. a rainbow table) of hashed values (password + salt), because it would take too much space. A simple dictionary attack is still very possible, although much slower since it cannot be precomputed.