I'm new to MySQL and in starting to use it some questions came up to me about
sequrity. Please allow me to post them here.
Why is is that MySQL on a new installation has *no* password at all?
OK, the documentation gives you a waring for it and strongly suggest
to install one. But why not installing it with a default password?
(Of cause, just as unsafe, but at least one must read the manual
before they stumble into dangerous territory)
Why is it that the documentations pays so less attention to the fact
that a password is assingned on a link/user basis? (To less is what
it looks to me, I just overlooked the whole concept and had the
database wide open for everyone without me knowing about it.)
To my opinion these two point should be handled as bugs.
And last but not least I noticed that it is possible to guess any
password when you have access to the user table in mysql. Let me
tell you how.
Passwords are stored in an encripted way but when two users have
the same password they will end up with the same encripted item
in the user table. E.g. in the table below the users 'root' and
'me' use the same password.
+-----------+---------+------------------+
| host | user | password |
+-----------+---------+------------------+
| localhost | root | 58982d15048734ee |
| localhost | me | 58982d15048734ee |
+-----------+---------+------------------+
An easy way to do something about this is not to encript password("<password>")
but something like password("<user>@<host>=<password>") which will guarantee
a different encription for each user/host combination.
Kind regards,
André Steenveld.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
