MySQL 5.7 introduced many new facets to password security. The first thing most notice is that you are assigned a random root password at installation time. You then have to search the log file for this random password, use it to login, and then change it. For the examples on the post I am using a fresh install of 5.7.13 on Oracle Linux 7.1 and was provided with the easy to remember password of nLvQRk7wq-NY which to me looked like I forgot to hit escape when trying to get out of vim. A quick ALTER USER to change the password and you are on your way. Defaults Password Lifetime and Complexity5.7.13 now has the default password lifetime set to 0 or 'never expire'. My fresh install shows that the value of mysql.user.password_lifetime is set to NULL which …[Read more]
I was surprised to find on one of my websites the message “Connect failed: Your password has expired. To log in you must change it using a client that supports expired passwords.
Not knowing that I was using a MySQL password expiry policy I reviewed the 5.7 documentation quickly which *clearly* states “The default default_password_lifetime value is 0, which disables automatic password expiration.”.
I then proceeded to investigate further, my steps are below the following comment.
However, it is always important with MySQL documentation and a new feature (in this case a 5.7 feature) to review release notes when installing versions or to least read ALL the documentation, because you may miss important information, such as.
Complimenting the expanded
CREATE USER syntax introduced in
MySQL Server 5.7.6 is more useful
syntax. Before MySQL Server 5.7.6,
could only be used to expire a user’s password. That’s pretty
limited. With changes made in MySQL Server 5.7.6, a better
distinction is made between privilege-level attributes (those
which are managed via
statements) and account-level attributes (those managed using
CREATE USER and
statements). MySQL has a long history of confusing these –
for example, requiring a
MySQL has provided support for proxy users since version 5.5, but the roles-like capabilities offered have been largely unnoticed until recently. Part of that has been due to limitations on which types of accounts could leverage proxy user capabilities. This changes with the release of MySQL Server 5.7.7 (Release Candidate), which includes support for proxy user mapping for the standard mysql_native_password and sha256_password authentication plugins. This post will introduce the new functionality and explain how to leverage it to emulate certain features …[Read more]
Mermaids have the same probability of fixing
your permission problems, but people continue believing in the
FLUSH PRIVILEGES myth.I see suggesting the usage of
PRIVILEGES every time someone writes a tutorial or a
solution to a problem regarding creating a new account or
providing different privileges. For example, the top post on
as of the writing of these lines, “MySQL:The user specified as a definer does not
exist (error 1449)-Solutions” has multiple guilty cases of
this (Update: the user has corrected those lines
after I posted this article).
It is not my intention to bash that post, but I have seen …[Read more]
A series of related discussions triggered by difficulty in setting passwords via scripts using the mysql command-line client when an account has an expired password caused me to look into the interaction between expired passwords and batch mode, and this blog post resulted. I hope it’s a useful explanation of the behavior and the workaround to those troubled by it, and amplifies the excellent documentation in the user manual.
The ability to flag accounts as having expired passwords first appeared in MySQL 5.6, with further …[Read more]
Today let’s talk about how to change MySQL user password
We can use 2 ways, 1 – mysqladmin, 2 – linguagem SQL
The syntax is easy:
mysqladmin -u USER -p password NEWPASSWORD
Let’s then change the password of ‘marcelo’ user to ’123′
mysqladmin -u marcelo -p password '123'
For this command, we have 3 problems:
. You can just change your own user
. You need SUPER PRIVILEGES to run this command
. If you share you linux user account with other users, this command will appear on historic, to avoid it we can edit ~/.bash_history and delete this lines
2. SQL (the best on my opinion):
To change the password, we’ll just run an update on user’s table on mysql db, you can do this in 2 ways, both have the same result
SET PASSWORD FOR 'user'@'host' = PASSWORD('newpass');
UPDATE …[Read more]
I was talking with a client and the topic of password crypting came up. From my background as a C coder, I have a few criteria to regard a mechanism to be safe. In this case we’ll just discuss things from the perspective of secure storage, and validation in an application.
- use a digital fingerprint algorithm, not a hash or CRC. A hash is by nature lossy (generates evenly distributed duplicates) and a CRC is intended to identify bit errors in transmitted data, not compare potentially different data.
- Store/use all of the fingerprint, not just part (otherwise it’s lossy again).
- SHA1 and its siblings are not ideal for this purpose, but ok. MD5 and that family of “message digests” has been proven flawed long ago, they can be “freaked” to create a desired outcome. Thus, it is possible to …
XKCD (as usual) makes a very good point – this time about password strength, and I reckon it’s something app developers need to consider urgently. Geeks can debate the exact amount of entropy, but that’s not really the issue: insisting on mixed upper/lower and/or non-alpha and/or numerical components to a user password does not really improve security, and definitely makes life more difficult for users.
So basically, the functions that do a “is this a strong password” should seriously reconsider their approach, particularly if they’re used to have the app decide whether to accept the password as “good enough” at all.
Update: Jeff Preshing has written an xkcd password generator. Users probably should choose their own four …[Read more]
Three ways to recover a root user password:
The order of solutions here under gets more creative on the way down :)
1. obviously, before starting messing around check my.cnf or
scripts for passwords entries, then try home directories for
2. secondly – can you restart mysql? if yes, restart with –skip-grant-tables, log into mysql, change your password and restart without –skip-grant-tables
3. third option – (on linux / unix ONLY)
If you haven’t found the password anywhere and can’t afford to restart your mysql.
cd data/mysql cp -rp user.MYD bck_user.MYD_`date +%Y%m%d` cp -rp user.MYD /tmp/user.MYD vi /tmp/user.MYD #(edit the hashed passwords next to root*) cp -rp /tmp/user.MYD user.MYD sudo kill -HUP `pidof mysqld`
Note that the latter method of recovering a root password CAN be easily used maliciously leaving no trace! The only way to avoid such an attack is to make the …[Read more]