The authentication, the first level of security for each IT system, is the stage to verify the user identity through the basic username and password scheme. It is crucial to have a mechanism to protect and secure password storing and transmitting over network.

In MySQL, there is plenty of different authentication methods available, and last versions improved the security of this concept.

At the beginning, the mechanism, called mysql_old_password, was pretty insecure: it’s based on a broken hashing function and the password is 16 bytes long. It was not so complex for attackers to find a plaintext password from the hash stored in the password column of …

The authentication, the first level of security for each IT system, is the stage to verify the user identity through the basic username and password scheme. It is crucial to have a mechanism to protect and secure password storing and transmitting over network.

In MySQL, there is plenty of different authentication methods available, and last versions improved the security of this concept.

At the beginning, the mechanism, called mysql_old_password, was pretty insecure: it’s based on a broken hashing function and the password is 16 bytes long. It was not so complex for attackers to find a plaintext password from the hash stored in the password column of …

MySQL 8.0 has introduced an optional behavior that authorize users to change their password only if they could provide the current password.

The post MySQL Security - Password Verification-Required Policy first appeared on dasini.net - Diary of a MySQL expert.

We have just released MySQL 8.0.20. And it has some interesting replication enhancements. In particular one big and exciting feature: binary log compression. Here is the list of things in this release:

• Binary Log Compression (WL#3549). This work done by Luís Soares implements binary log compression, making use of the popular compression algorithm ZSTD.

… Tweet Share

MySQL provides password-reuse capability, which allows database administrators to determine the number of unique passwords a user must use before they can use an old password again.

The post MySQL Security - Password Reuse Policy first appeared on dasini.net - Diary of a MySQL expert.

MySQL provides password-expiration capability, which enables database administrators to require that users reset their password.

The post MySQL Security – Password Expiration Policy first appeared on dasini.net - Diary of a MySQL expert.

The other day on a call, a client asked me an interesting question.  We were discussing some testing they were doing in Amazon Relational Database Service (RDS).  The question came up “since RDS is managed, how can I prove to my security team that the data is actually encrypted?”  We’ve all read whitepapers and blogs that talk about encryption in the cloud, but it is something I’ve not needed to validate before.  Instead, I just enable encryption when I create an RDS instance and move along to the next steps of the setup. This discussion really got me thinking – what is the best way to enable and test encryption at rest in my RDS instance?

Encryption at Rest – MySQL Fundamentals

Before getting too far into the RDS specifics, I wanted to cover the basics of encryption at rest in MySQL.  There are essentially two ways to encrypt data at rest:

• Full disk encryption (filesystem/block …

MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.

The post MySQL Security - Random Password Generation first appeared on dasini.net - Diary of a MySQL expert.

Early on in the MySQL 8.0 Release series there were a couple of key items related to our everyday use.  They are MySQL-Shell‘s establishing the “Pluggable Password Store” in 8.0.12, and its super enhance API Command Line Interface in 8.0.13… which the Pluggable Password Store also adopted. Sadly, most content highlighting the API CLI capability when it came… Read More »

Then secretary of Defense Donald Rumsfeld popularized the terms: “known knowns”, “known unknowns”, and “unknown unknowns.” With the ever-increasing number of data breaches and vulnerabilities, database operation teams have to account for every possibility. Visualizing your audit data allows you to look for the “unknowns”, those access patterns or connections that you’d otherwise overlook.

Although enabling an audit log and shipping it off to a vault may meet security and regulatory requirements, you will lose an important opportunity to protect your customer and employee information.

The following dashboard demonstrates the type of information that audit logs can reveal:

• Who is connecting to my database (IP address, location, username..)
• Who is trying to connect to my database but getting access errors?
• Which tables are being accessed and by whom?
…