no .....they really are out to get you :) Security is always a challenge. You can build the most secure system in the world but if the users are not educated in security you have wasted your time.
The "no password" relies on a user knowing what to do. The question is this OK default behaviour - the number of MS SQL installations with no master password (I remember reading an article about it) says that there are plenty of newbie/uneducated/amater/stupid DBAs out there for it to be problem. Perhaps forcing the user into setting a password during setup would be a good idea, particularly as MySql expands its userbase beyond the net, where security tend to be a priority and DBAs tend to be reasonably skilled. The password is less of a problem - if you set 'letmein' or something well known then the argument above applies. If your password is secure then a) only a user with access to the MySql database will see the encrypted password, so they probably already know the root password anyway. b)you would still have to try thousands or millions of combinations before you found the right one. Not impossible, but a reasonable barrier. If you try a brute force attack as an external user trying to login, MySql will lock you out after 10 attempts. just my 2p worth :) Peter ----------------------------------------------- Excellence in internet and open source software ----------------------------------------------- Sunmaia Birmingham UK www.sunmaia.net tel. 0121-242-1473 International +44-121-242-1473 ----------------------------------------------- -----Original Message----- From: Steenveld, A. [mailto:[EMAIL PROTECTED] Sent: 17 February 2004 13:23 To: [EMAIL PROTECTED] Subject: Sequrity question or am I paranoid? I'm new to MySQL and in starting to use it some questions came up to me about sequrity. Please allow me to post them here. Why is is that MySQL on a new installation has *no* password at all? OK, the documentation gives you a waring for it and strongly suggest to install one. But why not installing it with a default password? (Of cause, just as unsafe, but at least one must read the manual before they stumble into dangerous territory) Why is it that the documentations pays so less attention to the fact that a password is assingned on a link/user basis? (To less is what it looks to me, I just overlooked the whole concept and had the database wide open for everyone without me knowing about it.) To my opinion these two point should be handled as bugs. And last but not least I noticed that it is possible to guess any password when you have access to the user table in mysql. Let me tell you how. Passwords are stored in an encripted way but when two users have the same password they will end up with the same encripted item in the user table. E.g. in the table below the users 'root' and 'me' use the same password. +-----------+---------+------------------+ | host | user | password | +-----------+---------+------------------+ | localhost | root | 58982d15048734ee | | localhost | me | 58982d15048734ee | +-----------+---------+------------------+ An easy way to do something about this is not to encript password("<password>") but something like password("<user>@<host>=<password>") which will guarantee a different encription for each user/host combination. Kind regards, André Steenveld. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
