As Todd Farmer points out in Understanding mysql_config_editors security
aspects, the new .mylogin.cnf file generated by mysql_config_editor does not securely store
the password used to login to the database. It just obfuscates
The format of the file is as follows (as of MySQL 5.6.7-RC):
- 4 Bytes Zero (Version Information)
- 20 Bytes Key Generation Matter
- 4 Bytes Length information
- Length bytes crypted matter. The crypt is done using the AES ENCRYPT function, which in itself is insecure: It is an aes-128-ecb with a NULL IV.
The key used by AES 128 needs to be CHAR(16), but the function accepts any string as a key generation matter. It generates the key from the key generation matter by xor-ing the key generation matter onto itself in a 16 byte loop, starting with a buffer of NULL bytes.
Continue reading ".mylogin.cnf password recovery"