MySQL Manual
4 Database Administration
- 4.3 MySQL User Account Management
- 4.3.1
GRANTandREVOKESyntax - 4.3.2 MySQL User Names and Passwords
- 4.3.3 When Privilege Changes Take Effect
- 4.3.4 Setting Up the Initial MySQL Privileges
- 4.3.5 Adding New Users to MySQL
- 4.3.6 Limiting user resources
- 4.3.7 Setting Up Passwords
- 4.3.8 Keeping Your Password Secure
- 4.3.9 Using Secure Connections
- 4.3.1
4.3.8 Keeping Your Password Secure
It is inadvisable to specify your password in a way that exposes it to discovery by other users. The methods you can use to specify your password when you run client programs are listed here, along with an assessment of the risks of each method:
-
Never give a normal user access to the
mysql.usertable. Knowing the encrypted password for a user makes it possible to login as this user. The passwords are only scrambled so that one shouldn't be able to see the real password you used (if you happen to use a similar password with your other applications). -
Use a
-pyour_passor--password=your_passoption on the command line. This is convenient but insecure, because your password becomes visible to system status programs (such asps) that may be invoked by other users to display command-lines. (MySQL clients typically overwrite the command-line argument with zeroes during their initialisation sequence, but there is still a brief interval during which the value is visible.) -
Use a
-por--passwordoption (with noyour_passvalue specified). In this case, the client program solicits the password from the terminal:shell> mysql -u user_name -p Enter password: ********
The `*' characters represent your password. It is more secure to enter your password this way than to specify it on the command-line because it is not visible to other users. However, this method of entering a password is suitable only for programs that you run interactively. If you want to invoke a client from a script that runs non-interactively, there is no opportunity to enter the password from the terminal. On some systems, you may even find that the first line of your script is read and interpreted (incorrectly) as your password! -
Store your password in a configuration file. For example, you can list your
password in the
[client]section of the `.my.cnf' file in your home directory:[client] password=your_pass
If you store your password in `.my.cnf', the file should not be group or world readable or writable. Make sure the file's access mode is400or600. See section 4.1.2 `my.cnf' Option Files. -
You can store your password in the
MYSQL_PWDenvironment variable, but this method must be considered extremely insecure and should not be used. Some versions ofpsinclude an option to display the environment of running processes; your password will be in plain sight for all to see if you setMYSQL_PWD. Even on systems without such a version ofps, it is unwise to assume there is no other method to observe process environments. See section F Environment Variables.
All in all, the safest methods are to have the client program prompt for the password or to specify the password in a properly protected `.my.cnf' file.
