RE: Sequrity question or am I paranoid?
At 02:06 PM 2/17/2004, you wrote: Speaking of MySQL database security, what are some key things to keep in mind, other than changing the root password? Thanks, Eve Eve, You're not paranoid if they're really out to get you.g Here are some links you might find interesting. http://www.mysql.com/doc/en/Security.html http://www.securityfocus.com/infocus/1726 http://www.linuxsecurity.com/tips/tip-24.html Mike P.S. Don't forget the root password. Put it on a post-it note and stick it to your monitor like everyone else. :-) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Sequrity question or am I paranoid?
no .they really are out to get you :) Security is always a challenge. You can build the most secure system in the world but if the users are not educated in security you have wasted your time. The no password relies on a user knowing what to do. The question is this OK default behaviour - the number of MS SQL installations with no master password (I remember reading an article about it) says that there are plenty of newbie/uneducated/amater/stupid DBAs out there for it to be problem. Perhaps forcing the user into setting a password during setup would be a good idea, particularly as MySql expands its userbase beyond the net, where security tend to be a priority and DBAs tend to be reasonably skilled. The password is less of a problem - if you set 'letmein' or something well known then the argument above applies. If your password is secure then a) only a user with access to the MySql database will see the encrypted password, so they probably already know the root password anyway. b)you would still have to try thousands or millions of combinations before you found the right one. Not impossible, but a reasonable barrier. If you try a brute force attack as an external user trying to login, MySql will lock you out after 10 attempts. just my 2p worth :) Peter --- Excellence in internet and open source software --- Sunmaia Birmingham UK www.sunmaia.net tel. 0121-242-1473 International +44-121-242-1473 --- -Original Message- From: Steenveld, A. [mailto:[EMAIL PROTECTED] Sent: 17 February 2004 13:23 To: [EMAIL PROTECTED] Subject: Sequrity question or am I paranoid? I'm new to MySQL and in starting to use it some questions came up to me about sequrity. Please allow me to post them here. Why is is that MySQL on a new installation has *no* password at all? OK, the documentation gives you a waring for it and strongly suggest to install one. But why not installing it with a default password? (Of cause, just as unsafe, but at least one must read the manual before they stumble into dangerous territory) Why is it that the documentations pays so less attention to the fact that a password is assingned on a link/user basis? (To less is what it looks to me, I just overlooked the whole concept and had the database wide open for everyone without me knowing about it.) To my opinion these two point should be handled as bugs. And last but not least I noticed that it is possible to guess any password when you have access to the user table in mysql. Let me tell you how. Passwords are stored in an encripted way but when two users have the same password they will end up with the same encripted item in the user table. E.g. in the table below the users 'root' and 'me' use the same password. +---+-+--+ | host | user| password | +---+-+--+ | localhost | root| 58982d15048734ee | | localhost | me | 58982d15048734ee | +---+-+--+ An easy way to do something about this is not to encript password(password) but something like password(user@host=password) which will guarantee a different encription for each user/host combination. Kind regards, André Steenveld. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Sequrity question or am I paranoid?
Store the password (encrypted of course) in your DB de jour Read the 'user record' for that username and pull the associated password Of course its nice to allow the capability to assign a new password Yes I Agree wholeheartedly with your first statement.. -Martin - Original Message - From: Peter Lovatt [EMAIL PROTECTED] To: Steenveld, A. [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 9:03 AM Subject: RE: Sequrity question or am I paranoid? no .they really are out to get you :) Security is always a challenge. You can build the most secure system in the world but if the users are not educated in security you have wasted your time. The no password relies on a user knowing what to do. The question is this OK default behaviour - the number of MS SQL installations with no master password (I remember reading an article about it) says that there are plenty of newbie/uneducated/amater/stupid DBAs out there for it to be problem. Perhaps forcing the user into setting a password during setup would be a good idea, particularly as MySql expands its userbase beyond the net, where security tend to be a priority and DBAs tend to be reasonably skilled. The password is less of a problem - if you set 'letmein' or something well known then the argument above applies. If your password is secure then a) only a user with access to the MySql database will see the encrypted password, so they probably already know the root password anyway. b)you would still have to try thousands or millions of combinations before you found the right one. Not impossible, but a reasonable barrier. If you try a brute force attack as an external user trying to login, MySql will lock you out after 10 attempts. just my 2p worth :) Peter --- Excellence in internet and open source software --- Sunmaia Birmingham UK www.sunmaia.net tel. 0121-242-1473 International +44-121-242-1473 --- -Original Message- From: Steenveld, A. [mailto:[EMAIL PROTECTED] Sent: 17 February 2004 13:23 To: [EMAIL PROTECTED] Subject: Sequrity question or am I paranoid? I'm new to MySQL and in starting to use it some questions came up to me about sequrity. Please allow me to post them here. Why is is that MySQL on a new installation has *no* password at all? OK, the documentation gives you a waring for it and strongly suggest to install one. But why not installing it with a default password? (Of cause, just as unsafe, but at least one must read the manual before they stumble into dangerous territory) Why is it that the documentations pays so less attention to the fact that a password is assingned on a link/user basis? (To less is what it looks to me, I just overlooked the whole concept and had the database wide open for everyone without me knowing about it.) To my opinion these two point should be handled as bugs. And last but not least I noticed that it is possible to guess any password when you have access to the user table in mysql. Let me tell you how. Passwords are stored in an encripted way but when two users have the same password they will end up with the same encripted item in the user table. E.g. in the table below the users 'root' and 'me' use the same password. +---+-+--+ | host | user| password | +---+-+--+ | localhost | root| 58982d15048734ee | | localhost | me | 58982d15048734ee | +---+-+--+ An easy way to do something about this is not to encript password(password) but something like password(user@host=password) which will guarantee a different encription for each user/host combination. Kind regards, André Steenveld. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Sequrity question or am I paranoid?
Well, I agree with your reply. But to my opinion there is a big difference between letting someone walk into an open manhole or put a small fence around it for protection. The way it is now, not much is done to prevent the stupid from being stupid. I like to see some minimum safeguards just to prevent the obvious. It will not bring a secure database but some sensible settings can make life just that easier for the starters. Anyway, it was not difficult to find my way out of it. It only took a lot of time to brouse the 1100+ manual pages. Kind regards, André Steenveld. PS: I agree wit your first statement too... they are comming to take me away HA HA. :] -Original Message- From: Peter Lovatt [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 3:04 PM To: Steenveld, A.; [EMAIL PROTECTED] Subject: RE: Sequrity question or am I paranoid? no .they really are out to get you :) Security is always a challenge. You can build the most secure system in the world but if the users are not educated in security you have wasted your time. The no password relies on a user knowing what to do. The question is this OK default behaviour - the number of MS SQL installations with no master password (I remember reading an article about it) says that there are plenty of newbie/uneducated/amater/stupid DBAs out there for it to be problem. Perhaps forcing the user into setting a password during setup would be a good idea, particularly as MySql expands its userbase beyond the net, where security tend to be a priority and DBAs tend to be reasonably skilled. The password is less of a problem - if you set 'letmein' or something well known then the argument above applies. If your password is secure then a) only a user with access to the MySql database will see the encrypted password, so they probably already know the root password anyway. b)you would still have to try thousands or millions of combinations before you found the right one. Not impossible, but a reasonable barrier. If you try a brute force attack as an external user trying to login, MySql will lock you out after 10 attempts. just my 2p worth :) Peter --- Excellence in internet and open source software --- Sunmaia Birmingham UK www.sunmaia.net tel. 0121-242-1473 International +44-121-242-1473 --- -Original Message- From: Steenveld, A. [mailto:[EMAIL PROTECTED] Sent: 17 February 2004 13:23 To: [EMAIL PROTECTED] Subject: Sequrity question or am I paranoid? I'm new to MySQL and in starting to use it some questions came up to me about sequrity. Please allow me to post them here. Why is is that MySQL on a new installation has *no* password at all? OK, the documentation gives you a waring for it and strongly suggest to install one. But why not installing it with a default password? (Of cause, just as unsafe, but at least one must read the manual before they stumble into dangerous territory) Why is it that the documentations pays so less attention to the fact that a password is assingned on a link/user basis? (To less is what it looks to me, I just overlooked the whole concept and had the database wide open for everyone without me knowing about it.) To my opinion these two point should be handled as bugs. And last but not least I noticed that it is possible to guess any password when you have access to the user table in mysql. Let me tell you how. Passwords are stored in an encripted way but when two users have the same password they will end up with the same encripted item in the user table. E.g. in the table below the users 'root' and 'me' use the same password. +---+-+--+ | host | user| password | +---+-+--+ | localhost | root| 58982d15048734ee | | localhost | me | 58982d15048734ee | +---+-+--+ An easy way to do something about this is not to encript password(password) but something like password(user@host=password) which will guarantee a different encription for each user/host combination. Kind regards, André Steenveld. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Sequrity question or am I paranoid?
Speaking of MySQL database security, what are some key things to keep in mind, other than changing the root password? Thanks, Eve -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
