Information
The mysql_old_password plugin uses a cracked password routine with several flaws. It is present but not used by default in MariaDB. Steps should be taken to ensure that passwords will not be created with this plugin and that clients will not be able to authenticate to the MariaDB server using this plugin.
The old_passwords system variable controls whether MariaDB server uses the mysql_old_password plugin (instead of the stronger mysql_native_password plugin) when creating passwords. The secure_auth system variable, when enabled, will block client connections that utilize the mysql_old_password plugin.
Rationale:
Use of the mysql_old_password plugin risks disclosure of users' passwords and also permits Pass-the-Hash attacks.
Solution
If old_passwords was ON, add the following line to the [mariadbd] section in mariadb.cnf:
old_passwords=0
If 'secure_authwasOFF, add the following line to the [mariadbd]section inmariadb.cnf':
secure_auth=ON
Restart MariaDB.
Default Value:
old_passwords is OFF by default. secure_auth is ON by default.