I'm new to MySQL and in starting to use it some questions came up to me about sequrity. Please allow me to post them here.
Why is is that MySQL on a new installation has *no* password at all? OK, the documentation gives you a waring for it and strongly suggest to install one. But why not installing it with a default password? (Of cause, just as unsafe, but at least one must read the manual before they stumble into dangerous territory) Why is it that the documentations pays so less attention to the fact that a password is assingned on a link/user basis? (To less is what it looks to me, I just overlooked the whole concept and had the database wide open for everyone without me knowing about it.) To my opinion these two point should be handled as bugs. And last but not least I noticed that it is possible to guess any password when you have access to the user table in mysql. Let me tell you how. Passwords are stored in an encripted way but when two users have the same password they will end up with the same encripted item in the user table. E.g. in the table below the users 'root' and 'me' use the same password. +-----------+---------+------------------+ | host | user | password | +-----------+---------+------------------+ | localhost | root | 58982d15048734ee | | localhost | me | 58982d15048734ee | +-----------+---------+------------------+ An easy way to do something about this is not to encript password("<password>") but something like password("<user>@<host>=<password>") which will guarantee a different encription for each user/host combination. Kind regards, André Steenveld. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]