安科网

关于 MySQL 密码你应该知道的那些事

SCNUHB

SCNUHB

2015-07-21

关注 关注

本文将介绍MySQL用户密码相关的一些知识,以及5.6中对于安全性的一些改进

关于 MySQL 密码你应该知道的那些事

MySQL用户密码是如何生成和保存的

如果你已经接触MySQL一段时间了,那么想必你一定知道MySQL把所有用户的用户名和密码的密文存放在mysql.user表中。大致的形式如下:

  1. <span class="pln">mysql </span><span class="pun">[</span><span class="pln">localhost</span><span class="pun">]</span><span class="pun">{</span><span class="pln">msandbox</span><span class="pun">}</span><span class="pun">(</span><span class="pln">mysql</span><span class="pun">)</span><span class="pun">></span><span class="kwd">select</span><span class="pln"> user</span><span class="pun">,</span><span class="pln">password </span><span class="kwd">from</span><span class="pln"> mysql</span><span class="pun">.</span><span class="pln">user</span><span class="pun">;</span>
  2. <span class="pun">+----------------+-------------------------------------------+</span>
  3. <span class="pun">|</span><span class="pln"> user </span><span class="pun">|</span><span class="pln"> password </span><span class="pun">|</span>
  4. <span class="pun">+----------------+-------------------------------------------+</span>
  5. <span class="pun">|</span><span class="pln"> root </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  6. <span class="pun">|</span><span class="pln"> plain_password </span><span class="pun">|</span><span class="pun">*</span><span class="lit">861D75A7F79DE84B116074893BBBA7C4F19C14FA</span><span class="pun">|</span>
  7. <span class="pun">|</span><span class="pln"> msandbox </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  8. <span class="pun">|</span><span class="pln"> msandbox </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  9. <span class="pun">|</span><span class="pln"> msandbox_rw </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  10. <span class="pun">|</span><span class="pln"> msandbox_rw </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  11. <span class="pun">|</span><span class="pln"> msandbox_ro </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  12. <span class="pun">|</span><span class="pln"> msandbox_ro </span><span class="pun">|</span><span class="pun">*</span><span class="lit">6C387FC3893DBA1E3BA155E74754DA6682D04747</span><span class="pun">|</span>
  13. <span class="pun">|</span><span class="pln"> rsandbox </span><span class="pun">|</span><span class="pun">*</span><span class="pln">B07EB15A2E7BD9620DAE47B194D5B9DBA14377AD </span><span class="pun">|</span>
  14. <span class="pun">+----------------+-------------------------------------------+</span>
  15. <span class="lit">9</span><span class="pln"> rows </span><span class="kwd">in</span><span class="kwd">set</span><span class="pun">(</span><span class="lit">0.01</span><span class="pln"> sec</span><span class="pun">)*</span>

可见MySQL在其内部是不存放用户的明文密码的(这个也是一般程序对于敏感信息的最基础保护)。一般来说密文是通过不可逆加密算法得到的。这样即使敏感信息泄漏,除了暴力破解是无法快速从密文直接得到明文的。

MySQL用的是哪种不可逆算法来加密用户密码的

MySQL实际上是使用了两次SHA1夹杂一次unhex的方式对用户密码进行了加密。具体的算法可以用公式表示:password_str = concat('*', sha1(unhex(sha1(password))))

我们可以用下面的方法做个简单的验证。

  1. <span class="pln">mysql </span><span class="pun">[</span><span class="pln">localhost</span><span class="pun">]</span><span class="pun">{</span><span class="pln">msandbox</span><span class="pun">}</span><span class="pun">(</span><span class="pln">mysql</span><span class="pun">)</span><span class="pun">></span><span class="kwd">select</span><span class="pln"> password</span><span class="pun">(</span><span class="str">'mypassword'</span><span class="pun">),</span><span class="pln">concat</span><span class="pun">(</span><span class="str">'*'</span><span class="pun">,</span><span class="pln">sha1</span><span class="pun">(</span><span class="pln">unhex</span><span class="pun">(</span><span class="pln">sha1</span><span class="pun">(</span><span class="str">'mypassword'</span><span class="pun">))));</span>
  2. <span class="pun">+-------------------------------------------+---------------------------------------------+</span>
  3. <span class="pun">|</span><span class="pln"> password</span><span class="pun">(</span><span class="str">'mypassword'</span><span class="pun">)</span><span class="pun">|</span><span class="pln"> concat</span><span class="pun">(</span><span class="str">'*'</span><span class="pun">,</span><span class="pln">sha1</span><span class="pun">(</span><span class="pln">unhex</span><span class="pun">(</span><span class="pln">sha1</span><span class="pun">(</span><span class="str">'mypassword'</span><span class="pun">))))</span><span class="pun">|</span>
  4. <span class="pun">+-------------------------------------------+---------------------------------------------+</span>
  5. <span class="pun">|</span><span class="pun">*</span><span class="pln">FABE5482D5AADF36D028AC443D117BE1180B9725 </span><span class="pun">|</span><span class="pun">*</span><span class="pln">fabe5482d5aadf36d028ac443d117be1180b9725 </span><span class="pun">|</span>
  6. <span class="pun">+-------------------------------------------+---------------------------------------------+</span>
  7. <span class="lit">1</span><span class="pln"> row </span><span class="kwd">in</span><span class="kwd">set</span><span class="pun">(</span><span class="lit">0.01</span><span class="pln"> sec</span><span class="pun">)</span>

MySQL用户密码的不安全性

其实MySQL在5.6版本以前,对于对于安全性的重视度非常低,对于用户密码也不例外。例如,MySQL对于binary log中和用户密码相关的操作是不加密的。如果你向MySQL发送了例如create user,grant user ... identified by这样的携带初始明文密码的指令,那么会在binary log中原原本本的被还原出来。我们通过下面的例子来验证。

创建一个用户:

  1. <span class="pln">mysql </span><span class="pun">[</span><span class="pln">localhost</span><span class="pun">]</span><span class="pun">{</span><span class="pln">msandbox</span><span class="pun">}</span><span class="pun">(</span><span class="pln">mysql</span><span class="pun">)</span><span class="pun">></span><span class="pln"> create user plain_password identified </span><span class="kwd">by</span><span class="str">'plain_pass'</span><span class="pun">;</span>
  2. <span class="typ">Query</span><span class="pln"> OK</span><span class="pun">,</span><span class="lit">0</span><span class="pln"> rows affected </span><span class="pun">(</span><span class="lit">0.00</span><span class="pln"> sec</span><span class="pun">)</span>

用mysqlbinlog查看二进制日志:

  1. <span class="pln">shell</span><span class="pun">></span><span class="pln"> mysqlbinlog binlog</span><span class="pun">.</span><span class="lit">000001</span>
  2. <span class="com"># at 106</span>
  3. <span class="com">#150227 23:37:59 server id 1 end_log_pos 223 Query thread_id=1 exec_time=0 error_code=0</span>
  4. <span class="kwd">use</span><span class="pln"> mysql</span><span class="com">/*!*/</span><span class="pun">;</span>
  5. <span class="pln">SET TIMESTAMP</span><span class="pun">=</span><span class="lit">1425051479</span><span class="com">/*!*/</span><span class="pun">;</span>
  6. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">pseudo_thread_id</span><span class="pun">=</span><span class="lit">1</span><span class="com">/*!*/</span><span class="pun">;</span>
  7. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">foreign_key_checks</span><span class="pun">=</span><span class="lit">1</span><span class="pun">,</span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">sql_auto_is_null</span><span class="pun">=</span><span class="lit">1</span><span class="pun">,</span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">unique_checks</span><span class="pun">=</span><span class="lit">1</span><span class="pun">,</span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">autocommit</span><span class="pun">=</span><span class="lit">1</span><span class="com">/*!*/</span><span class="pun">;</span>
  8. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">sql_mode</span><span class="pun">=</span><span class="lit">0</span><span class="com">/*!*/</span><span class="pun">;</span>
  9. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">auto_increment_increment</span><span class="pun">=</span><span class="lit">1</span><span class="pun">,</span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">auto_increment_offset</span><span class="pun">=</span><span class="lit">1</span><span class="com">/*!*/</span><span class="pun">;</span>
  10. <span class="com">/*!\C latin1 *//*!*/</span><span class="pun">;</span>
  11. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">character_set_client</span><span class="pun">=</span><span class="lit">8</span><span class="pun">,@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">collation_connection</span><span class="pun">=</span><span class="lit">8</span><span class="pun">,@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">collation_server</span><span class="pun">=</span><span class="lit">8</span><span class="com">/*!*/</span><span class="pun">;</span>
  12. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">lc_time_names</span><span class="pun">=</span><span class="lit">0</span><span class="com">/*!*/</span><span class="pun">;</span>
  13. <span class="pln">SET </span><span class="pun">@</span><span class="lit">@session</span><span class="pun">.</span><span class="pln">collation_database</span><span class="pun">=</span><span class="pln">DEFAULT</span><span class="com">/*!*/</span><span class="pun">;</span>
  14. <span class="pln">create user plain_password identified </span><span class="kwd">by</span><span class="str">'plain_pass'</span>
  15. <span class="com">/*!*/</span><span class="pun">;</span>
  16. <span class="pln">DELIMITER </span><span class="pun">;</span>
  17. <span class="com"># End of log file</span>
  18. <span class="pln">ROLLBACK </span><span class="com">/* added by mysqlbinlog */</span><span class="pun">;</span>
  19. <span class="com">/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/</span><span class="pun">;</span>

MySQL5.6中对于用户密码的安全性加强

好在MySQL5.6开始对安全性有了一定的重视,为了杜绝明文密码出现在binlog中的情况,MySQL引入了一系列会以密文方式记录二进制日志的命令:

  • CREATE USER … IDENTIFIED BY …
  • GRANT … IDENTIFIED BY …
  • SET PASSWORD …
  • SLAVE START … PASSWORD = … (as of 5.6.4)
  • CREATE SERVER … OPTIONS(… PASSWORD …) (as of 5.6.9)
  • ALTER SERVER … OPTIONS(… PASSWORD …) (as of 5.6.9)

细心你的也许会发现,change master to master_password=''命令不在这个范畴中。这也就意味着MySQL5.6中仍然使用这样的语法来启动replication时有安全风险的。这也就是为什么5.6中使用带有明文密码的change master to时会有warning提示,具体如下:

  1. <span class="pln">slave1 </span><span class="pun">[</span><span class="pln">localhost</span><span class="pun">]</span><span class="pun">{</span><span class="pln">msandbox</span><span class="pun">}</span><span class="pun">((</span><span class="pln">none</span><span class="pun">))</span><span class="pun">></span><span class="pln"> change master to master_host</span><span class="pun">=</span><span class="str">'127.0.0.1'</span><span class="pun">,</span><span class="pln">master_port </span><span class="pun">=</span><span class="lit">21288</span><span class="pun">,</span><span class="pln">master_user</span><span class="pun">=</span><span class="str">'rsandbox'</span><span class="pun">,</span><span class="pln">master_password</span><span class="pun">=</span><span class="str">'rsandbox'</span><span class="pun">,</span><span class="pln">master_auto_position</span><span class="pun">=</span><span class="lit">1</span><span class="pun">;</span>
  2. <span class="typ">Query</span><span class="pln"> OK</span><span class="pun">,</span><span class="lit">0</span><span class="pln"> rows affected</span><span class="pun">,</span><span class="lit">2</span><span class="pln"> warnings </span><span class="pun">(</span><span class="lit">0.04</span><span class="pln"> sec</span><span class="pun">)</span>
  3. <span class="pln">slave1 </span><span class="pun">[</span><span class="pln">localhost</span><span class="pun">]</span><span class="pun">{</span><span class="pln">msandbox</span><span class="pun">}</span><span class="pun">((</span><span class="pln">none</span><span class="pun">))</span><span class="pun">></span><span class="pln"> show warnings</span><span class="pun">;</span>
  4. <span class="pun">+-------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+</span>
  5. <span class="pun">|</span><span class="typ">Level</span><span class="pun">|</span><span class="typ">Code</span><span class="pun">|</span><span class="typ">Message</span><span class="pun">|</span>
  6. <span class="pun">+-------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+</span>
  7. <span class="pun">|</span><span class="typ">Note</span><span class="pun">|</span><span class="lit">1759</span><span class="pun">|</span><span class="typ">Sending</span><span class="pln"> passwords </span><span class="kwd">in</span><span class="pln"> plain text without SSL</span><span class="pun">/</span><span class="pln">TLS </span><span class="kwd">is</span><span class="pln"> extremely insecure</span><span class="pun">.</span><span class="pun">|</span>
  8. <span class="pun">|</span><span class="typ">Note</span><span class="pun">|</span><span class="lit">1760</span><span class="pun">|</span><span class="typ">Storing</span><span class="typ">MySQL</span><span class="pln"> user name </span><span class="kwd">or</span><span class="pln"> password information </span><span class="kwd">in</span><span class="pln"> the master info repository </span><span class="kwd">is</span><span class="kwd">not</span><span class="pln"> secure </span><span class="kwd">and</span><span class="kwd">is</span><span class="pln"> therefore </span><span class="kwd">not</span><span class="pln"> recommended</span><span class="pun">.</span><span class="typ">Please</span><span class="pln"> consider </span><span class="kwd">using</span><span class="pln"> the USER </span><span class="kwd">and</span><span class="pln"> PASSWORD connection options </span><span class="kwd">for</span><span class="pln"> START SLAVE</span><span class="pun">;</span><span class="pln"> see the </span><span class="str">'START SLAVE Syntax'</span><span class="kwd">in</span><span class="pln"> the </span><span class="typ">MySQL</span><span class="typ">Manual</span><span class="kwd">for</span><span class="pln"> more information</span><span class="pun">.</span><span class="pun">|</span>
  9. <span class="pun">+-------+------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+</span>
  10. <span class="lit">2</span><span class="pln"> rows </span><span class="kwd">in</span><span class="kwd">set</span><span class="pun">(</span><span class="lit">0.00</span><span class="pln"> sec</span><span class="pun">)</span>

mysql

SCNUHB

SCNUHB

0 关注 0 粉丝 0 动态

关注 关注

相关推荐

Golang操作MySql数据库的完整步骤记录

MySQL是业界常用的关系型数据库,在平时开发中会经常与MySql数据库打交道,所以在接下来将介绍怎么使用Go语言操作MySql数据库。Go语言中的database/sql包提供了保证SQL或类SQL数据库的泛用接口,并不提供具体的数据库驱动。我们常用的数

CoderToy 2020-11-16

MySQL主从复制原理以及需要注意的地方

最近在写Mycat专题,由于不少小伙伴最近要出去面试,问我能不能简单写下MySQL的主从复制原理和注意事项,因为在之前的面试中被问到了这些问题。 Master 将数据改变记录到二进制日志中,也就是配置文件 log-bin 指定的文件, 这些记录叫做二进制日

emmm00 2020-11-17

Mysql联表update数据的示例详解

在MySQL中,可以在 UPDATE语句 中使用JOIN子句执行跨表更新。employees表将存储在员工编号,姓名,工作表现和工资的数据。employees 和 merits 表之间以是 performance 字段相关联的。对于 employees 表

王艺强 2020-11-17

MySQL数据类型优化原则

MySQL支持的数据类型很多,选择正确的数据类型对于高性能至关重要。下面几个简单的原则都有助于做出更好的选择。应该尽量使用可以正确储存数据的最小数据类型。如果无法确定哪个数据类型时最好的,就选择你认为不会超过范围的最小类型。比如用MySQ内建的类型而不是使

ribavnu 2020-11-16

专业级的MySQL开发设计规范及SQL编写规范

在团队开发过程中为了项目的稳定,代码的高效,管理的便捷制定内部种开发设计规范是必不可少的,命名规范的对象是指数据库SCHEMA、表TABLE、索引INDEX、约束CONSTRAINTS等的命名约定。数据库创建时必须添加默认字符集和校对规则子句。设计应至少满

bianruifeng 2020-11-16

Mysql 查询JSON结果的相关函数汇总

计算 JSON 深度,计算方式 {} [] 有一个符号即为一层,符号下有数据增加一层,复杂 JSON 算到最深的一次为止,官方文档说 null 值深度为 0,但是实际效果并非如此,列举几个例子。计算 JSON 最外层或者指定 path 的长度,标量的长度为

wangshuangbao 2020-11-13

Mysql 实现字段拼接的三个函数

给运营导出数据时,难免需要对字段进行拼接,如果 Mysql 可以完成的话,就可以少些很多代码。不过如果有字段值为 NULL,则结果为 NULL。上面这种方式如果想要使用分隔符分割,就需要每个字段中间插一个字符串,非常麻烦。concat_ws() 可以一次性

苏康申 2020-11-13

浅谈MySQL中的自增主键用完了怎么办

" (然后,你就可以回去等通知了!我们以无符号整型为例,存储范围为0~4294967295,约43亿!我们先说一下,一旦自增id达到最大值,此时数据继续插入是会报一个主键冲突异常如下所示。因此,表中的真实id必然会出现断续的情况。

vivenwan 2020-11-13

MySql索引使用策略分析

(建立索引会占用磁盘空间的索引文件。2.很少数据的列也不应该建立索引,比如 一个性别字段 0或者1,在查询中,结果集的数据占了表中数据行的比例比较大,mysql需要扫描的行数很多,增加索引,并不能提高效率

moyekongling 2020-11-13

mysql 如何动态修改复制过滤器

2、这个rds上有一个本地的ECS只读从库,这个只读从库会实时同步线上的rds数据库中的数据,这个只读从库供业务方查询使用

gloryli 2020-11-12

MySQL ddl语句的使用

数据定义语言create、drop、alter语句 。定义对数据库记录的增、删、改操作。定义对数据库、表、字段、用户的访问权限和安全级别。这小节主要了解下数据定义语言DDL。我们用它对数据库、表进行一些管理操作,比如:建库、删库、建表、修改表、删除表、对字

云中舞步 2020-11-12

MySQL中使用binlog时格式该如何选择

每一条会修改数据的sql都会记录到master的bin-log中。slave在复制的时候sql进程会解析成和原来master端执行过的相同的sql来再次执行。另外就是,由于mysql现在发展比较快,很多的新功能加入,使mysql的复制遇到了不小的挑战,自然

要啥自行车一把梭 2020-11-12

mysql 8.0.22 安装配置图文教程

解压后的目录并没有的my.ini文件,没关系可以自行创建在安装根目录下添加的my.ini ,写入基本配置:。# 允许连接失败的次数。初始化MySQL,在安装时,避免权限问题出错我们尽量使用管理员身份运行CMD,否则在安装时会报错,会导致安装失败的情况,如下

aydh 2020-11-12

解决Navicat Premium 连接 MySQL 8.0 报错\"1251\"的问题分析

人闲太久,努力一下就以为是在拼命。1251 - Client does not support authentication protocol requested by server; consider upgrading MySQL client. My

kuwoyinlehe 2020-11-12

MySQL数据操作-DML语句的使用

DML数据操作语言,是指对数据库进行增删改的操作指令,主要有INSERT、UPDATE、DELETE三种,代表插入、更新与删除,这是学习MySQL必要掌握的基本知识。方语法中 [] 中内容可以省略。值的顺序和表中字段顺序须保持一致。

minerk 2020-11-12

详解 MySQL中count函数的正确使用方法

当搞清楚count函数的运行原理后,相信上面几个问题的答案就会了然于胸。为了解决上述的问题,我创建了一张 user 表,它有两个字段:主键id和name,后者可以为null,建表语句如下。`id` int NOT NULL AUTO_INCREMENT C

vitasfly 2020-11-12

MySQL 基于时间点的快速恢复方案

万幸,这份数据是平台上某些商品的价格,基本上是有限个商品,然后价格值也都是固定的,之前有对这个价格表进行备份,于是给他直接重新导入了一份价格表的数据,这个问题也算是解决了。新建一个实例,全库还原,然后应用备份的binlog,一直去追,追到数据被该坏的时间点

jazywoo在路上 2020-11-11

MySQL外键约束的实例讲解

MySQL的外键约束是用来在两个表之间建立链接的,其中一个表发生变化,另外一个表也发生变化。从这个特点来看,它主要是为了保证表数据的一致性和完整性的。也就是说,只要外键的每个非空值出现在指定的主键中,这个外键的内容就是正确的。

敏敏张 2020-11-11

MySQL用truncate命令快速清空一个数据库中的所有表

用文本编辑器把每条truncate语句前后的“|”替换为空字符,方便后面一次复制多条执行。truncate与drop是DDL语句,执行后无法回滚;delete是DML语句,可回滚。truncate会清空表中的所有行,但表结构及其约束、索引等保持不变;dro

世樹 2020-11-11

修改MySQL8.0 默认的数据目录(快捷操作无配置)

使用场景:我们使用的是阿里云,单独购买了数据盘,MySQL 8.0 数据库默认装在系统盘上,为了考虑安全性和空间问题,我们需要将默认的数据库目录更改到其它位置。操作系统:CentOS 7.6 数据库:MySQL 8.0 查看我本人更多原创文章,请点击

zry 2020-11-11
SCNUHB

SCNUHB

W3CSchool教程
HTML 教程
CSS 教程
Bootstrap 教程
Javascript 教程
jQuery 教程
后端教程
C 教程
Java 教程
PHP 教程
Python 教程
Go 教程
移动开发
Android 教程
Swift 教程
Kotlin 教程
jQuery Mobile 教程
ionic 教程
关于我们
新闻动态
联系方式
招聘英才
安科实验室
帮助与反馈

安科网(Ancii),中国第一极客网

Copyright © 2013 - 2019 Ancii.com

京ICP备18063983号 京公网安备11010802014868号