Planet MySQL Planet MySQL: Meta Deutsch Español Français Italiano 日本語 Русский Português 中文
Showing entries 1 to 7

Displaying posts with tag: passwords (reset)

How MySQL 5.6 handles passwords more securely
+1 Vote Up -0Vote Down
There are many thing changed in MySQL 5.6 which are related to passwords:
  • There is a new password hash algorithm (SHA-256)
  • There is obfuscation for passwords with the .mylogin.cnf file.
  • The option to store slave passwords in a database table.
  • It's now possible to supply a password to START SLAVE.
But that's not what this blog post is about.

This blog post is a great new feature: Hiding passwords from your log files, automatically.

MySQL 5.6 will by default hide passwords from the general log. This is not just obfuscation as only the one-way hash will be put in the log files. By setting log-raw=OFF you can disable password hiding for the general log. The log-raw setting will only influence the general log, so the passwords in the slow query log and the binary logs will still be hidden.

With MySQL 5.5






  [Read more...]
Avoid clear text passwords in MySQL logging.
+3 Vote Up -0Vote Down
What happens when you use the PASSWORD() function to insert a password hash into a table?
  • The hash will be written to the table
  • The password might be written in clear text to the binlog
  • The password might be written in clear text to the general log
  • The password might be written in clear text to the slow query log
The query
mysql [localhost] {msandbox} (test) > INSERT INTO testpwd(pwd) VALUES(PASSWORD('secret_password'));
Query OK, 1 row affected (0.00 sec)

The General log
130128 16:04:41     1 Query     INSERT INTO testpwd(pwd) VALUES(PASSWORD('secret_password'))

The Slow query log
# Time: 130128 16:04:41
# User@Host: msandbox[msandbox] @ localhost []
# Query_time: 0.004887 Lock_time: 0.001043 Rows_sent: 0 Rows_examined: 0










  [Read more...]
MySQL client password security
+1 Vote Up -2Vote Down

In case you missed it, MySQL 5.6.6, also known as Milestone 9, was recently released. I have yet to install this, however just one part of the MySQL 5.6.6 Release Notes makes placing installing and testing high on my TODO list.

Updated 20 Sep, 2012. Be sure to also read Todd’s post Understanding mysql_config_editor’s security aspects about a more in-depth and accurate description of this new feature. In summary, “It makes secure access via MySQL client applications easier to use”.

That is the reported improvements in password management. From the release notes:

Security Improvements

These security improvements were implemented:



  [Read more...]
My Two Cents on MySQL Password Security
+1 Vote Up -1Vote Down

Lenz Grimmer recently wrote two blogs about password security on MySQL. Both are worth reading in detail. You’ll find them in Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.

Although I wrote a comment on the latter one, there is one point I thought was worth its own blog.

GRANT … IDENTIFIED BY PASSWORD…

You can work around having to specify the password in the open following these steps:

  • Use a local or non-public instance (for example using MySQL Sandbox) to define the user / password combination you need:
    CREATE USER 'name'@'host'
  •   [Read more...]
    Does MySQL Send Passwords In the Clear?
    +0 Vote Up -0Vote Down

    I was asked this question recently, and I thought it was a great little tidbit of knowledge to pass along. The short answer is “no”. The slightly longer answer was written up by Jan Kneschke when dealing with a forum post about proxy + connection pooling.

    From http://forums.mysql.com/read.php?146,169265,169700

    The clear-text password is _never_ transfered in the authentication phase.

    On the network we have:
    * client connects to server (no data)
    * server sends a seed (40 char, one-time, random)
    * client sends 40 char hash of (seed + PASSWORD(clear-text-password))
    * server compares against the hash(seed + SELECT password FROM mysql.user WHERE username = )

    That way we never have the password as clear-text on the wire. (only in SET PASSWORD or GRANT statements).

    SQL commands for a fresh install
    +0 Vote Up -0Vote Down

    As a rule I always execute the following commands on a fresh database installation. Then for each user that is granted privileges, of course they are given a password and the host permissions are locked down as much as possible for their needs, alternately table and column privs as well. I’m not going to get into the parts the manual covers, but rather mention a couple of things on my mind.

    First the initial commands:


    mysql> use mysql
    mysql> delete from user where User='';
    mysql> delete from db where User='';
    mysql> update user set Password=password('password_here') where User=’root’;
    mysql> flush privileges;

    However, one thing I’ve noticed is that when you hand over a server to someone that doesn’t necessarily follow your same understanding or regard to user privilege security, bad things can







      [Read more...]
    Using DBMS_SYS_SQL to Execute Statements as Another User
    +0 Vote Up -0Vote Down
    I do realize that for most of you, there may be nothing new about the dbms_sys_sql package ? knowledge of it has been floating around for quite a while. I myself discovered this package a couple of years ago while playing around with HTMLDB’s (now APEX’s) internals. I’m posting this as a response to a [...]
    Showing entries 1 to 7

    Planet MySQL © 1995, 2014, Oracle Corporation and/or its affiliates   Legal Policies | Your Privacy Rights | Terms of Use

    Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.