Store the password (encrypted of course) in your DB de jour Read the 'user record' for that username and pull the associated password Of course its nice to allow the capability to assign a new password Yes I Agree wholeheartedly with your first statement.. -Martin ----- Original Message ----- From: "Peter Lovatt" <[EMAIL PROTECTED]> To: "Steenveld, A." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, February 17, 2004 9:03 AM Subject: RE: Sequrity question or am I paranoid?
> no .....they really are out to get you :) > > Security is always a challenge. You can build the most secure system in the > world but if the users are not educated in security you have wasted your > time. > > The "no password" relies on a user knowing what to do. The question is this > OK default behaviour - the number of MS SQL installations with no master > password (I remember reading an article about it) says that there are plenty > of newbie/uneducated/amater/stupid DBAs out there for it to be problem. > > Perhaps forcing the user into setting a password during setup would be a > good idea, particularly as MySql expands its userbase beyond the net, where > security tend to be a priority and DBAs tend to be reasonably skilled. > > The password is less of a problem - if you set 'letmein' or something well > known then the argument above applies. If your password is secure then a) > only a user with access to the MySql database will see the encrypted > password, so they probably already know the root password anyway. b)you > would still have to try thousands or millions of combinations before you > found the right one. Not impossible, but a reasonable barrier. > > If you try a brute force attack as an external user trying to login, MySql > will lock you out after 10 attempts. > > just my 2p worth :) > > Peter > > > ----------------------------------------------- > Excellence in internet and open source software > ----------------------------------------------- > Sunmaia > Birmingham > UK > www.sunmaia.net > tel. 0121-242-1473 > International +44-121-242-1473 > ----------------------------------------------- > > > > > > > > -----Original Message----- > From: Steenveld, A. [mailto:[EMAIL PROTECTED] > Sent: 17 February 2004 13:23 > To: [EMAIL PROTECTED] > Subject: Sequrity question or am I paranoid? > > > I'm new to MySQL and in starting to use it some questions came up to me > about sequrity. Please allow me to post them here. > > Why is is that MySQL on a new installation has *no* password at all? > OK, the documentation gives you a waring for it and strongly suggest > to install one. But why not installing it with a default password? > (Of cause, just as unsafe, but at least one must read the manual > before they stumble into dangerous territory) > > Why is it that the documentations pays so less attention to the fact > that a password is assingned on a link/user basis? (To less is what > it looks to me, I just overlooked the whole concept and had the > database wide open for everyone without me knowing about it.) > > To my opinion these two point should be handled as bugs. > > > And last but not least I noticed that it is possible to guess any > password when you have access to the user table in mysql. Let me > tell you how. > Passwords are stored in an encripted way but when two users have > the same password they will end up with the same encripted item > in the user table. E.g. in the table below the users 'root' and > 'me' use the same password. > +-----------+---------+------------------+ > | host | user | password | > +-----------+---------+------------------+ > | localhost | root | 58982d15048734ee | > | localhost | me | 58982d15048734ee | > +-----------+---------+------------------+ > > An easy way to do something about this is not to encript > password("<password>") > but something like password("<user>@<host>=<password>") which will guarantee > a different encription for each user/host combination. > > Kind regards, > > André Steenveld. > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
