Change users mysql password with a view to security -- Best Practices

Question

I am running MySQLserver version 5.0.96 on SLES 11 SP2, and I am looking for a safe way to change a user's password. Of course, it is very easy to change a user's password by:

SET PASSWORD FOR 'user'@'192.168.0.%' = PASSWORD('mysecret');

But this query finds its way into the query log, the binary log, and the MySQL history file. To prevent this, I used:

export MYSQL_HISTFILE=/dev/null

before starting the client, and:

SET sql_log_bin = 0;
SET sql_log_off = 1;

afterwards. Grep and mysqlbinlog prove that my plan comes together, but I have overlooked that MySQL has silently changed the file mode bits of /dev/null to 0600. Oops!

At this point, I asked myself if there isn't a better way to safely change a user's password. And now I am asking you:

What is the best way to safely change a user's password for a MySQL server?

Answer 1

It seems that according to dev.mysql, they recommend just securing the logs rather than sanitizing them.

To guard against unwarranted exposure to log files, they should be located in a directory that restricts access to only the server and the database administrator.

Replication slaves store the password for the replication master in the master.info file. Retrict this file to be accessible only to the database administrator.

Database backups that include tables or log files containing passwords should be protected using a restricted access mode.

It would appear that this issue was fixed more elegantly in later versions of MySQL. See: http://dev.mysql.com/doc/refman/5.7/en/password-logging.html

In MySQL 5.7, statement logging avoids writing passwords in plain text for the following statements:

CREATE USER ... IDENTIFIED BY ... GRANT ... IDENTIFIED BY ... SET PASSWORD ... SLAVE START ... PASSWORD = ... CREATE SERVER ... OPTIONS(... PASSWORD ...) ALTER SERVER ... OPTIONS(... PASSWORD ...)

Passwords in those statements are rewritten not to appear literally in statement text, for the general query log, slow query log, and binary log. Rewriting does not apply to other statements.

So, unless you can upgrade to a later version, your solution seems like it may be the right one.

Answer 2

I use mysqladmin on Linux systems but with an additional step beforehand to prevent the new password from being shown or recorded. The read command will allow you to enter a new password which will be stored in the 'newpass' variable without being shown on-screen. The mysqladmin command will prompt you for your current password without it being shown on-screen and, if the current password is correct, it will set the MySQL user's new password to the value of the 'newpass' variable.

echo -n "Enter new password: "; read -s newpass; echo; mysqladmin -u <yourusername> password "$newpass" -p

You can copy and paste the above into a terminal on your Linux system as-is but be sure to replace <yourusername> with your MySQL username.