Database Reference
In-Depth Information
Measured against those requirements, only the
user1
account has acceptable values.
(It's the only account not selected by the “identify weak accounts” query shown earlier.)
Each of the other accounts is deficient in some way. The following instructions describe
how to address their weaknesses.
In general, it's preferable to manipulate MySQL accounts using SQL statements intended
for that purpose, such as
CREATE
USER
or
SET
PASSWORD
, and to avoid modifying the
grant tables directly using statements such as
INSERT
or
UPDATE
. But some operations
are more straightforward using direct manipulation (and sometimes not possible to
perform otherwise), so the following instructions include some direct modifications of
the
user
table, even though that goes against convention. A consequence of direct ma‐
nipulation is that
FLUSH
PRIVILEGES
is required following
UPDATE
, to ensure that the
server refreshes the account information it caches in memory.
For each account for which you reassign the password, you must
either know the current password or assign a temporary password.
In the latter case, contact the account owner, provide the temporary
password, and ask the owner to choose a new one.
Begin by setting the
old_passwords
system variable to 0, to ensure that
PASSWORD()
uses the 4.1 hashing method, not the pre-4.1 method:
SET
old_passwords
=
0
;
That done, upgrade each account per its particular weaknesses. Note that the
UPDATE
statements specify both
User
and
Host
(not just
User
) to uniquely identify the single
account to update:
•
user1
weaknesses: None. The account specifies the native plug-in explicitly and the
password is nonempty in 4.1 hash format. Actions: None needed.
•
user2
through
user5
have different weaknesses, but in each case the statements to
implement the required security upgrade are the same:
—
user2
weaknesses: No plug-in named; password is empty. Actions: Specify the
native plug-in; assign a password.
—
user3
weaknesses: Uses the old plug-in; password is empty. Actions: Change to
the native plug-in; assign a password.
—
user4
weaknesses: No plug-in named; password uses pre-4.1 hash. Actions:
Specify the native plug-in; upgrade password to 4.1 hash.
—
user5
weaknesses: Uses the old plug-in; password uses pre-4.1 hash. Actions:
Change to the native plug-in; upgrade password to 4.1 hash.
To address the issues for any of
user2
through
user5
, use the following statements
(substituting the proper username for
user2
as necessary):