Passwords can be written as plain text in SQL statements such as
CREATE USER
,
GRANT
, SET
PASSWORD
, and statements that invoke the
PASSWORD()
function. If such
statements are logged by the MySQL server as written, passwords
in them become visible to anyone with access to the logs.
Statement logging avoids writing passwords in cleartext for the following statements:
CREATE USER ... IDENTIFIED BY ...
GRANT ... IDENTIFIED BY ...
SET PASSWORD ...
SLAVE START ... PASSWORD = ...
CREATE SERVER ... OPTIONS(... PASSWORD ...)
ALTER SERVER ... OPTIONS(... PASSWORD ...)
Passwords in those statements are rewritten to not appear
literally in statement text written to the general query log,
slow query log, and binary log. Rewriting does not apply to
other statements. In particular,
INSERT
or
UPDATE
statements for the
mysql.user
table that refer to literal
passwords are logged as is, so you should avoid such statements.
(Direct modification of grant tables is discouraged, anyway.)
For the general query log, password rewriting can be suppressed
by starting the server with the
--log-raw
option. For security
reasons, this option is not recommended for production use. For
diagnostic purposes, it may be useful to see the exact text of
statements as received by the server.
Contents of the audit log file produced by the audit log plugin are not encrypted. For security reasons, this file should be written to a directory accessible only to the MySQL server and users with a legitimate reason to view the log. See Section 6.5.4.2, “MySQL Enterprise Audit Security Considerations”.
To guard log files against unwarranted exposure, locate them in
a directory that restricts access to the server and the database
administrator. If the server logs to tables in the
mysql
database, grant access to those tables
only to the database administrator.
Replication slaves store the password for the replication master
in the master info repository, which can be either a file or a
table (see Section 17.2.2, “Replication Relay and Status Logs”). Ensure that the
repository can be accessed only by the database administrator.
An alternative to storing the password in a file is to use the
START SLAVE
statement to specify
credentials for connecting to the master.
Use a restricted access mode to protect database backups that include log tables or log files containing passwords.