← All tools
// HASH & CRYPTO

MySQL Password Generator online

Generate the MySQL PASSWORD() hash of any string — double SHA-1, browser-side.

MySQL Password Generator logo
by
CHUNKY
MUNSTER
MYSQL PASSWORD() HASH

About MySQL Password Hashing

MySQL's PASSWORD() function (used in MySQL 4.1+ and MariaDB) applies two rounds of SHA-1 hashing. The first hash is applied to the plaintext, and then SHA-1 is applied again to the binary result. The final hash is prefixed with * and uppercased. This tool replicates that algorithm using the browser's native Web Crypto API.

Security note: MySQL's PASSWORD() function is considered weak for storing passwords by modern standards. Use bcrypt, Argon2 or scrypt for new applications.

How to Use the MySQL Password Generator

  1. Type or paste the plaintext password into the input field — use Show to verify what you typed.
  2. Click Generate MySQL hash. The asterisk-prefixed hex string appears below.
  3. Copy the *4ACF…-style value and drop it into your INSERT, ALTER USER … IDENTIFIED WITH mysql_native_password BY … or UPDATE mysql.user statement.
  4. Click Clear to wipe both the input and the result from the page.

MySQL's PASSWORD() function — the basis of the mysql_native_password plugin since version 4.1 — applies SHA-1 to the plaintext, then SHA-1 again to the raw 20-byte binary digest, and prefixes the uppercase hex result with an asterisk. This generator reproduces that exact byte sequence using the browser's Web Crypto API, so the output drops straight into mysql.user.authentication_string or a migration script. It is intended for legacy compatibility — modern MySQL 8.0 servers default to caching_sha2_password and treat native_password as deprecated.

How the MySQL Password Generator Works

Use it when you need to import accounts into an old replica, prepare a fixed hash for an automation script, or audit whether a stored credential matches a known value. Because both SHA-1 rounds happen in your browser via crypto.subtle.digest(), the plaintext password never leaves the page — there is no network request, no telemetry, no log. Do not adopt this hash format to protect new applications: SHA-1 has known collision attacks and the scheme is unsalted, so identical passwords always produce identical hashes.

Frequently Asked Questions

Is MySQL's PASSWORD() function still safe to use for new databases?

No. PASSWORD() has been deprecated since MySQL 5.7 and removed in 8.0+. New deployments use caching_sha2_password by default; this format remains here for compatibility with legacy mysql_native_password accounts.

Why does the output start with an asterisk?

The leading * marks the hash as the post-4.1 long format (41 characters total). MySQL stores it that way in mysql.user so the server can distinguish it from the older 16-character pre-4.1 hashes.

How is this different from MD5 or a single SHA-1?

PASSWORD() applies SHA-1 twice — once to the plaintext, then again to the binary digest of the first hash. That second pass is over raw bytes, not over hex, which is what produces the canonical *HEX value MySQL stores.

Will this match what MariaDB stores?

Yes, for accounts using the mysql_native_password plugin. MariaDB up to 11.x uses the same double-SHA-1 scheme; ed25519 and PAM authentication plugins use entirely different formats and won't match this output.

Explore the full suite of HASH & CRYPTO tools and 290+ other free utilities at Chunky Munster.