THE WORLD DISCUSSES #PYTHIAN ON TWITTER. HAVE A QUESTION? USE OUR HASHTAG AND ASK AWAY.

My Two Cents on MySQL Password Security

Posted by Gerry Narvaja on Jun 5, 2009

Lenz Grimmer recently wrote two blogs about password security on MySQL. Both are worth reading in detail. You’ll find them in Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.

Although I wrote a comment on the latter one, there is one point I thought was worth its own blog.

GRANT … IDENTIFIED BY PASSWORD…

You can work around having to specify the password in the open following these steps:

  1. Use a local or non-public instance (for example using MySQL Sandbox) to define the user / password combination you need: 
    CREATE USER 'name'@'host' IDENTIFIED BY 'secret';
  2. Use SHOW GRANTS to get the hashed password: 
    SHOW GRANTS FOR 'name'@'host';
+------------------------------------------------------------------------------+
| Grants for name@host                                                         |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'name'@'host' IDENTIFIED BY PASSWORD '*<hash value>'   |
+------------------------------------------------------------------------------+
  3. Log in to the production (or public) server and use CREATE USER with the hash value obtained above: 
    CREATE USER 'name'@'host' IDENTIFIED BY '*<hash value>'

This way, even if the CREATE USER ... (or GRANT) shows in plain text in the MySQL history, binary logs or anywhere else, the password remains secret.

Category: MySQL
Tags: , , , ,

5 Responses

  1. Tom Krouper says:
    June 5, 2009 at 5:55 pm

    Another option would be to just

    SELECT PASSWORD(’xxxxxx’);

    The result will give you the hashed password. If you wanted to go crazy you could do something like…

    SELECT CONCAT(”CREATE USER ‘name’@'host’ IDENTIFIED BY ‘”,password(’xxxxx’),”‘;”);

    And copy the whole line.

    Reply
  2. Mac says:
    June 5, 2009 at 6:48 pm

    I think I usually use Tom’s method (ie PASSWORD() function), but it’s always good to know alternatives. Thanks for the info.

    -Mac

    Reply
  3. Ronald Bradford says:
    June 8, 2009 at 12:00 pm

    That’s a good tip.

    Reply
  4. Gerry says:
    June 8, 2009 at 1:17 pm

    PASSWORD() works, as long as you keep using it on the private server before re-using the hash value. I like SHOW GRANTS because it already shows you the whole GRANT command line which I can copy & paste … call my lazy.

    Reply
  5. Craig Sylvester says:
    June 10, 2009 at 11:50 am

    Hi Gerry,

    Good tip. However, you need to include the “PASSWORD” keyword in step 3:

    CREATE USER ‘name’@'host’ IDENTIFIED BY PASSWORD ‘*’

    /Craig

    Reply

Leave a Reply

Start NowWith Pythian - database design, management and emergency handling capabilities...

Papers & Books

MySQL Administrator's Bible by Sheeri K. Cabral

Oracle RAC Workload Management whitepaper by Alex Gorbachev

8 Rules for Designing More Secure Applications with MySQL by Augusto Bott and Nick Westerlund

Live Updates

pythian: RT @sheeri: #confoo talk "Bending Queries to your Will with EXPLAIN" slides http://bit.ly/explainslides & handout
more



Testimonials

  • Serge Racine

    DBA, Brookfield Energy

    We are very satisfied by the service given to us by Andre and Shakir in support of our recent data quality and reorganization initiative.... more