MySQL 5.6 how to change a secure handling password discussion
- 2020-05-15 02:23:50
- OfStack
MySQL 5.6 will automatically hide password information in the log. It's not just obfuscating, but storing the one-way hash values in a log file. You can disable password hiding for log files by setting log-raw =OFF. The log-raw setting only affects 1-like logs, while passwords are still hidden in slow query logs and binary logs.
In MySQL 5.5 this needs to be handled manually the first time the hash is stored in a variable. But for the most part that's not useful anymore.
But that's not all. According to the manual for the mysql command, the mysql command will not record statements that match "*IDENTIFIED*:*PASSWORD*".
However, don't forget to give the MySQL server and client log file verification permission protection, including other files such as master.info. In addition, if you need to use MySQL's privilege system to protect credentials from a node in a database, you should do the same if master.info makes someone have too many database privileges and can load content using LOAD DATA INFILE.
Of course, there's still room for improvement:
It would be better if we could easily enable secure connections. MySQL and many other applications use TLS, but it has some performance issues and is not easy to set up. Also, MySQL is not secure by default, just for simplicity.
So MySQL 5.6 has improved security without any configuration.
In MySQL 5.5 this needs to be handled manually the first time the hash is stored in a variable. But for the most part that's not useful anymore.
But that's not all. According to the manual for the mysql command, the mysql command will not record statements that match "*IDENTIFIED*:*PASSWORD*".
However, don't forget to give the MySQL server and client log file verification permission protection, including other files such as master.info. In addition, if you need to use MySQL's privilege system to protect credentials from a node in a database, you should do the same if master.info makes someone have too many database privileges and can load content using LOAD DATA INFILE.
Of course, there's still room for improvement:
It would be better if we could easily enable secure connections. MySQL and many other applications use TLS, but it has some performance issues and is not easy to set up. Also, MySQL is not secure by default, just for simplicity.
So MySQL 5.6 has improved security without any configuration.