Well, I agree with your reply. But to my opinion there is a big difference between letting someone walk into an open manhole or put a small fence around it for protection.
The way it is now, not much is done to prevent the stupid from being stupid. I like to see some minimum safeguards just to prevent the obvious. It will not bring a secure database but some sensible settings can make life just that easier for the starters. Anyway, it was not difficult to find my way out of it. It only took a lot of time to brouse the 1100+ manual pages. Kind regards, André Steenveld. PS: I agree wit your first statement too... they are comming to take me away HA HA. :] > -----Original Message----- > From: Peter Lovatt [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 17, 2004 3:04 PM > To: Steenveld, A.; [EMAIL PROTECTED] > Subject: RE: Sequrity question or am I paranoid? > > > no .....they really are out to get you :) > > Security is always a challenge. You can build the most secure > system in the > world but if the users are not educated in security you have > wasted your > time. > > The "no password" relies on a user knowing what to do. The > question is this > OK default behaviour - the number of MS SQL installations > with no master > password (I remember reading an article about it) says that > there are plenty > of newbie/uneducated/amater/stupid DBAs out there for it to > be problem. > > Perhaps forcing the user into setting a password during setup > would be a > good idea, particularly as MySql expands its userbase beyond > the net, where > security tend to be a priority and DBAs tend to be reasonably skilled. > > The password is less of a problem - if you set 'letmein' or > something well > known then the argument above applies. If your password is > secure then a) > only a user with access to the MySql database will see the encrypted > password, so they probably already know the root password > anyway. b)you > would still have to try thousands or millions of combinations > before you > found the right one. Not impossible, but a reasonable barrier. > > If you try a brute force attack as an external user trying to > login, MySql > will lock you out after 10 attempts. > > just my 2p worth :) > > Peter > > > ----------------------------------------------- > Excellence in internet and open source software > ----------------------------------------------- > Sunmaia > Birmingham > UK > www.sunmaia.net > tel. 0121-242-1473 > International +44-121-242-1473 > ----------------------------------------------- > > > > > > > > -----Original Message----- > From: Steenveld, A. [mailto:[EMAIL PROTECTED] > Sent: 17 February 2004 13:23 > To: [EMAIL PROTECTED] > Subject: Sequrity question or am I paranoid? > > > I'm new to MySQL and in starting to use it some questions > came up to me > about sequrity. Please allow me to post them here. > > Why is is that MySQL on a new installation has *no* password at all? > OK, the documentation gives you a waring for it and strongly suggest > to install one. But why not installing it with a default password? > (Of cause, just as unsafe, but at least one must read the manual > before they stumble into dangerous territory) > > Why is it that the documentations pays so less attention to the fact > that a password is assingned on a link/user basis? (To less is what > it looks to me, I just overlooked the whole concept and had the > database wide open for everyone without me knowing about it.) > > To my opinion these two point should be handled as bugs. > > > And last but not least I noticed that it is possible to guess any > password when you have access to the user table in mysql. Let me > tell you how. > Passwords are stored in an encripted way but when two users have > the same password they will end up with the same encripted item > in the user table. E.g. in the table below the users 'root' and > 'me' use the same password. > +-----------+---------+------------------+ > | host | user | password | > +-----------+---------+------------------+ > | localhost | root | 58982d15048734ee | > | localhost | me | 58982d15048734ee | > +-----------+---------+------------------+ > > An easy way to do something about this is not to encript > password("<password>") > but something like password("<user>@<host>=<password>") which > will guarantee > a different encription for each user/host combination. > > Kind regards, > > André Steenveld. > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
