MySQL 5.1 Reference Manual  /  ...  /  Passwords and Logging Passwords and Logging

Passwords can be written as plain text in SQL statements such as CREATE USER, GRANT, SET PASSWORD, and statements that invoke the PASSWORD() function. If such statements are logged by the MySQL server as written, passwords in them become visible to anyone with access to the logs. This applies to the general query log, the slow query log, and the binary log (see Section 5.2, “MySQL Server Logs”).

To guard log files against unwarranted exposure, locate them in a directory that restricts access to the server and the database administrator. If the server logs to tables in the mysql database, grant access to those tables only to the database administrator.

Replication slaves store the password for the replication master in the file. Restrict this file to be accessible only to the database administrator.

Use a restricted access mode to protect database backups that include log tables or log files containing passwords.

Download this Manual
User Comments
Sign Up Login You must be logged in to post a comment.