Dear readers of our blog, we'd like to recommend you to visit the main page of our website, where you can learn about our product SQLS*Plus and its advantages.
 
SQLS*Plus - best SQL Server command line reporting and automation tool! SQLS*Plus is several orders of magnitude better than SQL Server sqlcmd and osql command line tools.
 

REQUEST COMPLIMENTARY SQLS*PLUS LICENCE

Enteros UpBeat offers a patented database performance management SaaS platform. It proactively identifies root causes of complex revenue-impacting database performance issues across a growing number of RDBMS, NoSQL, and deep/machine learning database platforms. We support Oracle, SQL Server, IBM DB2, MongoDB, Casandra, MySQL, Amazon Aurora, and other database systems.

MySQL 8.0. Security – support for two passwords

24 August 2020

MySQL server

Reflecting on security in MySQL installation, you can consider a wide range of possible procedures/recommendations and their impact on the security of your MySQL server and related applications.

MySQL provides many tools/functions/plugins or components to protect your data, including some additional features such as Transparent Data Encryption (TDE), auditing, data masking and de-identification, firewall, login failure tracking and temporary account locking, connection control plugins, password verification component, etc…

TL; DR

Dual password capability allows you to make changes to your credentials without any problems.

MySQL implements a double password with syntax that saves and discards secondary passwords:

  • The RETAIN CURRENT PASSWORD offer for ALTER USER and SET PASSWORD operators saves the current account password as a secondary password when assigning a new master password.
  • The DISCARD OLD PASSWORD for ALTER USER casts an additional account password, leaving only the master password. The goal is to avoid downtime when changing passwords in replicated environments.

Customers can use the old password as long as the new password is set in the server group and only delete the old password when the new password is set in the entire group.

Workflow:

On each server that is not a replication slave, set a new password, for example:

ALTER USER 'myApp'@'host' IDENTIFIED BY 'NEW_password' RETAIN CURRENT PASSWORD;

Wait until the change of password spreads throughout the system to all slave servers.

Change each application that uses myApp account to connect to servers using the password “NEW_password” rather than “OLD_password”.

On each server that is not a replication slave, reset the secondary password, for example:

ALTER USER 'myApp'@'host' DISCARD OLD PASSWORD;

Let’s take a brief look at using MySQL 8.0

MySQL SQL> SELECT VERSION();
+-----------+
| VERSION() |
+-----------+
| 8.0.19 |
+-----------+

Create user account myApp@localhost with password pwd1 :

MySQL root SQL>
CREATE USER myApp@localhost IDENTIFIED BY 'pwd1';

We can now contact you with a username and password:

$ mysql -u myApp -ppwd1 -e "SELECT USER()".
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+

Note: As indicated in the output, entering a password into the command line interface is bad practice.

Now the database administrator (superuser) uses the ALTER USER instruction with the RETAIN CURRENT PASSWORD sentence to modify the credentials using the double password mechanism by adding pwd2 as the main password.

Thus, pwd1 is now the secondary password:

MySQL root SQL>
ALTER USER myApp@localhost IDENTIFIED BY 'pwd2' RETAIN CURRENT PASSWORD;

We can use our username and new password ( pwd2 ) to connect:

$ mysql -u myApp -ppwd2 -e "SELECT USER()".
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+

But the old password ( pwd1 ) is still valid:

$ mysql -u myApp -ppwd1 -e "SELECT USER()"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+

Now it is time to reset the additional password ( pwd1 ):

MySQL root SQL>
ALTER USER myApp@localhost DISCARD OLD PASSWORD;

$ mysql -u myApp -ppwd2 -e "SELECT USER()"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+

$ mysql -u myApp -ppwd1 -e "SELECT USER()"
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'myApp'@'localhost' (using password: YES)

As you can see, only the new password ( pwd2 ) is valid.

 
Tags: , ,

MORE NEWS

 

Preamble​​NoSql is not a replacement for SQL databases but is a valid alternative for many situations where standard SQL is not the best approach for...

Preamble​​MongoDB Conditional operators specify a condition to which the value of the document field shall correspond.Comparison Query Operators $eq...

5 Database management trends impacting database administrationIn the realm of database management systems, moreover half (52%) of your competitors feel...

The data type is defined as the type of data that any column or variable can store in MS SQL Server. What is the data type? When you create any table or...

Preamble​​MS SQL Server is a client-server architecture. MS SQL Server process starts with the client application sending a query.SQL Server accepts,...

First the basics: what is the master/slave?One database server (“master”) responds and can do anything. A lot of other database servers store copies of all...

Preamble​​Atom Hopper (based on Apache Abdera) for those who may not know is an open-source project sponsored by Rackspace. Today we will figure out how to...

Preamble​​MongoDB recently introduced its new aggregation structure. This structure provides a simpler solution for calculating aggregated values rather...

FlexibilityOne of the most advertised features of MongoDB is its flexibility.  Flexibility, however, is a double-edged sword. More flexibility means more...

Preamble​​SQLShell is a cross-platform command-line tool for SQL, similar to psql for PostgreSQL or MySQL command-line tool for MySQL.Why use it?If you...

Preamble​​Writing an application on top of the framework on top of the driver on top of the database is a bit like a game on the phone: you say “insert...

Preamble​​Oracle Coherence is a distributed cache that is functionally comparable with Memcached. In addition to the basic function of the API cache, it...

Preamble​​IBM pureXML, a proprietary XML database built on a relational mechanism (designed for puns) that offers both relational ( SQL / XML ) and...

  What is PostgreSQL array? In PostgreSQL we can define a column as an array of valid data types. The data type can be built-in, custom or enumerated....

Preamble​​If you are a Linux sysadmin or developer, there comes a time when you need to manage an Oracle database that can work in your environment.In this...

Preamble​​Starting with Microsoft SQL Server 2008, by default, the group of local administrators is no longer added to SQL Server administrators during the...