FiveTech Software tech support forums

[Otto]

Hello,
could it be that we the save the admin password in clear text into the config file of MySQL:
$cfg['Servers'][$i]['password'] = 'myPW';

I mean if someone steals the MySQL folder he can do what ever he wants with these data.

Is there a way you can have a password for MySQL like we have with RDP which is only working on the machine where you created the password.

It seems to me very difficult to protect against download if someone is able to get access to the machine.

Thank you for your help
Otto

[nageswaragunupudi]

MySql does not require storing any usernames or passwords in any config files. Not at all necessary. None of us do it.

[dutch]

Dear Otto,

you can encrypt the password that store in .INI.

But do not trim before save to ini.

[Otto]

Dear Mr Rao,
thank you I think I understand now what you will tell me.
If phpMyAdmin is deleted the server is working fine but without knowing the password you can’t access the databases.

Best regards
Otto

[Carles]

Otto,

It seems that your code is php. This is hosted on your server and in principle NO ONE should access your server. If someone accesses it, yoi will be a dead man.

You must differentiate windows applications / web applications. In windows you can have your user/psw inside your own exe or in external files with the encrypted data (for example *.ini files, dll files,...).

In a web environment, all configuration data is on the server and nobody (except the administrator) has access to this data.

[Otto]

Hello Carles,
I mean safety also if someone can get access to the server physically.

If you have some time – for example the night porter in a hotel -
it is easy to change the administrator password of a server.
Then you have access to the system.

Then it seems hacking a root PW should be no problem:

https://www.youtube.com/watch?v=dyc5b3yT2tI

Only encryption of the data can be a solution.

Best regards,
Otto

[Otto]

Hello,
it seems that with root access –which should be easy if you have physical access to the server- you can reset the PW.

Otto

From the MySQL forum

DIsable root password reset

Hi to all,
i'd like to know if it's possible to block and prevent the reset of root password of my mysql database, in order to increase security and avoid that someone can log to my database with root password damaging data or structure.


Only a user with root privs can reset root password without restarting the server with --skip-grant-tables, so ensure no-one except root has root privs, and that root cannot connect remotely.

[Carles]

Otto,

Then it seems hacking a root PW should be no problem:
...

It's true, very easy...

Only encryption of the data can be a solution.

In this case, if you use dbf you should also encrypt the data

Otto, if your server system is exposed, you should protect it too. It is one of the most important security measures

[Otto]

Hello Carles,
please see my post: encrypt-decrypt word doc
viewtopic.php?f=3&t=35194&p=209458&hilit=encrypt#p209458
I resolved my problem with file encryption.
But as you see in the post to my topic I think we trust to much the MySQL security.

Otto,
Do you use a SQL-database?
Then you store the DOC-file in a BLOB-field. The SQL-database is already password-protected.

Best regards
Otto

[Otto]

Hello Carles,
please see my post: encrypt-decrypt word doc
viewtopic.php?f=3&t=35194&p=209458&hilit=encrypt#p209458
I resolved my problem with file encryption.
But as you see in the post to my topic I think we trust too much the MySQL security.

Otto,
Do you use a SQL-database?
Then you store the DOC-file in a BLOB-field. The SQL-database is already password-protected.

Best regards
Otto

[Otto]

Hello Carles,

What is the MySQL equivalent of SQL Server 2016 Always Encrypted technology or is there anything similar in MySQL that can act as AE?

https://dba.stackexchange.com/questions/158725/what-is-the-mysql-equivalent-of-sql-server-2016-always-encrypted-technology

Conclusion
Transparent Data Encryption is extremely simple to use. However, the data protection is very limited. TDE protects the data at rest only. However, Always Encrypted is really a powerful feature. It is still not too complex to implement, and the data is completely protected. Not even a DBA can see it without having an access to the encryption keys. Hopefully, the limitations for AE, especially the collation limitation, will be removed in the future versions of SQL Server.

https://codingsight.com/transparent-dat ... encrypted/



Best regards
Otto

[nageswaragunupudi]

If we have physical access to the server, we do not need to know any usernames or passwords to see the data. What all we need is a hex editor and most program editors can do this.

Navigate to MySql/MariaDB installation folder and look for folder "data". In this folder, we see each database as a subfolder. Within each subfolder, we see every table as <tablename>.ibd. Open this *.ibd in a hex editor and view all the data in the table in plain asci.



Table/Tablespace encryption protects from this.

[Otto]

Dear Mr Rao
thank you for showing this. This is what I am afraid of.
As fare as I know encryption is only build in in MariaDB not in MySQL. Is this right.
Thank you and best regards
Otto

[nageswaragunupudi]

MySQL Enterprise edition provides encryption as an optional feature.

In any case, the point is that MySql/MariaDB data is as secure or insecure as your DBF data. We need to keep the server physically inaccessible to others.

Larger organizations have their own security arrangements. Small organizations can adopt simpler solutions like keeping the server inside a locked grilled box/almirah with good ventilation.