- 6.1.2 Keeping Passwords Secure
- 6.1.2.1 End-User Guidelines for Password Security
- 6.1.2.2 Administrator Guidelines for Password Security
- 6.1.2.3 Passwords and Logging
- 6.1.2.4 Password Hashing in MySQL
- 6.1.2.5 Implications of Password Hashing Changes in MySQL 4.1 for Application Programs
- 6.1.2.6 The Password Validation Plugin
Passwords can be written as plain text in SQL statements such as
CREATE USER,
GRANT, and
SET PASSWORD, or statements that
invoke the PASSWORD() function.
If these statements are logged by the MySQL server as written,
such passwords become available to anyone with access to the
logs.
Beginning with MySQL 5.6.3, statement logging is modified so that passwords do not appear in plain text for the following statements:
CREATE USER ... IDENTIFIED BY ... GRANT ... IDENTIFIED BY ... SET PASSWORD ... SLAVE START ... PASSWORD = ... (as of 5.6.4) CREATE SERVER ... OPTIONS(... PASSWORD ...) (as of 5.6.9) ALTER SERVER ... OPTIONS(... PASSWORD ...) (as of 5.6.9)
Passwords in those statements are rewritten not to appear literally in statement text, for the general query log, slow query log, and binary log. Rewriting does not apply to other statements.
For the general query log, password rewriting can be suppressed
by starting the server with the
--log-raw option. This option may
be useful for diagnostic purposes, to see the exact text of
statements as received by the server, but for security reasons
is not recommended for production use.
Contents of the audit log file produced by the audit log plugin are not encrypted. For security reasons, this file should be written to a directory accessible only to the MySQL server and users with a legitimate reason to view the log. See Section 6.3.12.2, “Audit Log Plugin Security Considerations”.
To guard log files against unwarranted exposure, they should be
located in a directory that restricts access to only the server
and the database administrator. If you log to tables in the
mysql database, access to those tables should
never be granted to any nonadministrative accounts.
Replication slaves store the password for the replication master
in the master info repository, which can be either a file or a
table (see Section 17.2.2, “Replication Relay and Status Logs”). Ensure that the
repository can be accessed only by the database administrator.
As of MySQL 5.6.4, an alternative to storing the password in a
file is to use the START SLAVE
statement to specify credentials for connecting to the master.
Database backups that include tables or log files containing passwords should be protected using a restricted access mode.
User Comments