www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

GNU Info

Info Node: (mysql.info)Password security

(mysql.info)Password security

Prev: Passwords Up: User Account Management
Enter node , (file) or (file)node 

Keeping Your Password Secure
----------------------------

It is inadvisable to specify your password in a way that exposes it to
discovery by other users.  The methods you can use to specify your
password when you run client programs are listed below, along with an
assessment of the risks of each method:

   * Never give a normal user access to the `mysql.user' table. Knowing
     the encrypted password for a user makes it possible to login as
     this user.  The passwords are only scrambled so that one shouldn't
     be able to see the real password you used (if you happen to use a
     similar password with your other applications).

   * Use a `-pyour_pass' or `--password=your_pass' option on the command
     line.  This is convenient but insecure, because your password
     becomes visible to system status programs (such as `ps') that may
     be invoked by other users to display command lines.  (MySQL
     clients typically overwrite the command-line argument with zeroes
     during their initialization sequence, but there is still a brief
     interval during which the value is visible.)

   * Use a `-p' or `--password' option (with no `your_pass' value
     specified).  In this case, the client program solicits the
     password from the terminal:

          shell> mysql -u user_name -p
          Enter password: ********

     The `*' characters represent your password.

     It is more secure to enter your password this way than to specify
     it on the command line because it is not visible to other users.
     However, this method of entering a password is suitable only for
     programs that you run interactively.  If you want to invoke a
     client from a script that runs non-interactively, there is no
     opportunity to enter the password from the terminal. On some
     systems, you may even find that the first line of your script is
     read and interpreted (incorrectly) as your password!

   * Store your password in a configuration file.  For example, you can
     list your password in the `[client]' section of the `.my.cnf' file
     in your home directory:

          [client]
          password=your_pass

     If you store your password in `.my.cnf', the file should not be
     group or world readable or writable.  Make sure the file's access
     mode is `400' or `600'.

     Note: Option files.

   * You can store your password in the `MYSQL_PWD' environment
     variable, but this method must be considered extremely insecure
     and should not be used.  Some versions of `ps' include an option
     to display the environment of running processes; your password
     will be in plain sight for all to see if you set `MYSQL_PWD'.
     Even on systems without such a version of `ps', it is unwise to
     assume there is no other method to observe process environments.
     Note: Environment variables.

All in all, the safest methods are to have the client program prompt
for the password or to specify the password in a properly protected
`.my.cnf' file.
automatically generated by info2www version 1.2.2.9