MySQL users should use the following guidelines to keep passwords secure.
When you run a client program to connect to the MySQL server, it is inadvisable to specify your password in a way that exposes it to discovery by other users. The methods you can use to specify your password when you run client programs are listed here, along with an assessment of the risks of each method. In short, the safest methods are to have the client program prompt for the password or to specify the password in a properly protected option file.
Use a
-p
or
your_pass
--password=
option on the command line. For example:
your_pass
shell> mysql -u francis -pfrank db_name
This is convenient but insecure, because your password becomes visible to system status programs such as ps that may be invoked by other users to display command lines. MySQL clients typically overwrite the command-line password argument with zeros during their initialization sequence. However, there is still a brief interval during which the value is visible. Also, on some systems this overwriting strategy is ineffective and the password remains visible to ps. (SystemV Unix systems and perhaps others are subject to this problem.)
If your operating environment is set up to display your current command in the title bar of your terminal window, the password remains visible as long as the command is running, even if the command has scrolled out of view in the window content area.
Use the -p
or --password
option on the command line with no password value specified.
In this case, the client program solicits the password
interactively:
shell>mysql -u francis -p
Enter password:db_name
********
The “*
” characters indicate
where you enter your password. The password is not displayed
as you enter it.
It is more secure to enter your password this way than to specify it on the command line because it is not visible to other users. However, this method of entering a password is suitable only for programs that you run interactively. If you want to invoke a client from a script that runs noninteractively, there is no opportunity to enter the password from the keyboard. On some systems, you may even find that the first line of your script is read and interpreted (incorrectly) as your password.
Store your password in an option file. For example, on Unix
you can list your password in the
[client]
section of the
.my.cnf
file in your home directory:
[client] password=your_pass
To keep the password safe, the file should not be accessible
to anyone but yourself. To ensure this, set the file access
mode to 400
or 600
.
For example:
shell> chmod 600 .my.cnf
Section 4.2.3.3, “Using Option Files”, discusses option files in more detail.
Store your password in the MYSQL_PWD
environment variable. See
Section 2.13, “Environment Variables”.
This method of specifying your MySQL password must be
considered extremely insecure and
should not be used. Some versions of ps
include an option to display the environment of running
processes. If you set MYSQL_PWD
, your
password is exposed to any other user who runs
ps. Even on systems without such a
version of ps, it is unwise to assume
that there are no other methods by which users can examine
process environments.
On Unix, the mysql client writes a record of
executed statements to a history file (see
Section 4.5.1, “mysql — The MySQL Command-Line Tool”). By default, this file is named
.mysql_history
and is created in your home
directory. Passwords can appear as plain text in SQL statements
such as GRANT
and
SET PASSWORD
, so if you use these
statements, they are logged in the history file. To keep this
file safe, use a restrictive access mode, the same way as
described earlier for the .my.cnf
file.
If your command interpreter is configured to maintain a history,
any file in which the commands are saved will contain MySQL
passwords entered on the command line. For example,
bash uses
~/.bash_history
. Any such file should had a
restrictive access mode.
User Comments
It seems this page doesn't cover how to call the mysql commands in scripts without passing the password in clear. One solution could be to use expect with mysql -u user -p, but a much better solution using an undocumented mysql option: --defaults-file.
With a POSIX/Bourne like shell:
{ printf '[client]\npassword=%s\n' xxxx |
3<&0 <&4 4<&- mysql --defaults-file=/dev/fd/3 -u myuser
} 4<&0
The password is then passed using a pipe between your shell and the mysql command.
Or with ksh93, zsh or bash and some implementations of ksh88:
mysql --defaults-file <(
printf '[client]\npassword=%s\n' xxxx
) -u myuser
If "printf" is not built in your shell, you can use echo instead but beware of backslashes, you you can use an here-file or here-string.
Add your own comment.