23

I was presented with an argument to the tune of "you don't need a strong mysql user password because in order to use it, they'd already have access to your server." We're talking about a 4 digit password that is a standard english dictionary word on a live business website.

Without influencing the answers with my own knowledge and experience, I'd like to show them some responses from a disinterested 3rd party source. Anyone care to chime in on this one? Programming / practical answers would be appreciated.

Citizen
  • 560
  • 6
  • 16

16 Answers16

39

Whoever was making this argument seems to be saying "Once someone has their foot in the door, you might as well give them complete access". By that logic, a firewall negates the need for all passwords on your internal network.

Strong passwords are one step towards limiting the damage done by network intrusion. There's no reason to throw your hands up in defeat just because one small part of your network was compromised.

user229044
  • 505
  • 4
  • 10
  • 13
    'Defense in Depth' is the motto of the day. – Scott Pack Dec 07 '10 at 16:48
  • 3
    Just note that once they have access to your filesystem, they'd have access to your PHP file or config file where your password is stored anyway unless you've set up some additional security for this, which is usually difficult or impossible on shared hosts. – Lotus Notes Dec 07 '10 at 17:30
  • 2
    @Lotus Assuming the PHP and MySQL servers are the same machine. – user229044 Dec 07 '10 at 18:51
  • 2
    @Lotus Notes, You should not use the root user in an application anyways. A well designed application only allows the access that is necessary. Most of the time, this includes access to the data, but not always all of the data, and in some cases, it may even be read-only. – bradlis7 Dec 07 '10 at 21:15
  • 1
    @Lotus Notes: Many shared hosts employ suPHP which affords the chmod-ing 660 of sensitive PHP files. – webbiedave Dec 08 '10 at 15:23
  • 1
    My webservers usually have 3 accounts that are used, root, mysql and www-data. When any of this accounts is compromised and shell-access is gained, the data is already compromised. root is obvious, mysql can access directly the data files and www-data has the password stored somewhere to be able to access mysql. In this case, is your argument still valid? – Peter Smit Dec 14 '10 at 09:24
  • 1
    @Peter Yes, my argument is still valid, as my whole argument is "just because your password might be compromised doesn't mean you shouldn't use a password". You've highlighted one specific case where the password is compromised. This isn't cause to give up on password-protecting your database, as there are countless other cases in which a strong password would protect it. – user229044 Dec 14 '10 at 21:28
  • 1
    @Peter As an aside, you probably shouldn't be allowing your `mysql` and `www-data` users to login interactively. – user229044 Dec 14 '10 at 21:29
14

It really goes back to the idea of 'Defense in Depth' so at least a strong password could slow them down so that you can discover and block them. I like the analogy of having a single key for a gated community vs. a key on the door of every house.

Power-coder
  • 241
  • 1
  • 4
  • I was waiting for somebody to come up with a key/door analogy :| – user229044 Dec 07 '10 at 16:57
  • But a different key for every door in your house is probably overboard. Where do you draw the line? – Dan Dec 07 '10 at 18:42
  • 4
    @Dan: but in a secure facility, you would expect a different key for every door, right? In a single-family house no—you'd expect all locks to use the same key. But in a shared house (like with roommates), it would depend on the household philosophy: either unlocked doors (maybe doors all using the same key), or different keys per roommate. – wallyk Dec 07 '10 at 19:19
  • 5
    Locks and other safety devices are primarily used for the amateur thief or only to deter the professional. Another deterrent is adequate lighting around the house and to avoid regular routines that make it obvious where and what you do throughout the day. Never chat with a stranger about vacation plans and alert local police if you are gone for an extended period of time. Always try to make it appear as if someone is at home. Also, to ... wait, what was the question again? – Stephen Watkins Dec 07 '10 at 21:01
6

It depends a lot on how your MySQL server is setup. If it only accepts requests off of the home (127.0.0.1) ip, that does make it moderately more secure.

Given a scenario where you allow remote IPs it becomes a much bigger deal.

In addition to that, it's always good to have strong security in case of intrusion - better that they walk away with as little as possible.

DivinusVox
  • 181
  • 3
6

Is there a lock on the Petty Cash box in Accounting? If so, why? Doesn't the building have physical security?

JohnFx
  • 225
  • 2
  • 11
5

you don't need a strong mysql user password because in order to use it, they'd already have access to your server

This isn't true, because mysql can also be used in cross-network client-server enviroment, and by default the only thing you need is user/pass to gain access to the database (offcourse, with 3306 port opened and server publicly visible).

Denis Biondic
  • 159
  • 3
5

Indeed it can be the other way : if they have access to mysql, they could be able to access the server OS itself.

  1. MySQL LOAD_FILE and SELECT ... INTO OUTFILE queries enable mysql users to read and write files on the underlying filesystem. Any file that the mysql user has access too (is your MySQL running as root ?). If under linux/UNIX just query SELECT LOAD_FILE('/etc/passwd') and see them grin. If mysqld is running as root you can try SELECT LOAD_FILE('/etc/shadow') and watch your sysadmin cry.
  2. Many times under linux the mysql user "root" has the same password as the server's "mysql" user (the one which runs mysqld). Then if this password is trivial (or findable by automated tools such as medusa/hydra) then you can just SSH/telnet directly to the database server and fool around.
Renik
  • 436
  • 2
  • 5
5

Something that seems to have been overlooked here is, do you trust your users on the trusted network?

Frankly, I don't, because I know what I was like when I was starting out in IT. I would poke and prod in areas that I had no right to, and frankly a weak MySQL password would have been a delight to me as I would have taken a pot-luck chance and got in and I could have wreaked havock (by accident, of course).

What if someone uses social engineering to get onto your trusted network? Then what do you do? If they're on a machine behind the firewall them blammo, your rock-solid firewall security is ruined and they're straight into the machine.

Strong passwords are so simple to do and there's a lot of password management tools to make keeping the passwords secure easy, so there's really no excuse for not doing it.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • The thing is, you shouldn't allow remote connections in MySQL, or if you need, then specify `localhost`/`127.0.0.1` as the host. This way, no one can access the databases outside (even the ones in the same network). – Chazy Chaz Jul 25 '17 at 19:02
4

If someone gets root access to your server, then they won't need any MySQL password. But if they can only execute apps on your server as a non-root and non-web user, then a strong MySQL password can still save your data. But yeah, most hacks come from the web, that means the hacker will get access to your web account and can therefore extract the DB password from PHP files.

All of this assuming your MySQL server is not accepting connections from anywhere but localhost. If it does then you need a strong PW.

rustyx
  • 1,676
  • 3
  • 21
  • 30
3

Because requirements change...

So the server today that is limited to accepting MySQL connections to only the local machine, may tomorrow be opened up so that an external tool can be used to manage the database. The person doing this setup may not know that there are extremely weak passwords in use.

If your user is inconvenienced by having to remember a good, strong (e.g.: long, random) password, consider making it very strong and then storing it in the .my.cnf -- even more convenient than having a weak password that they have to type. Of course, there are security implications to this too, but you're going to have to store your password somewhere, for example the applications that access it, so you're already securing copies of the password.

But also read what @meagar said.

Sean Reifschneider
  • 10,720
  • 3
  • 25
  • 28
2

Eh. If your server is IP locked, and your user is restricted to SELECT on a set of tables where you don't care about the information, it's not a huge deal.

On the other hand, I set my MySQL passwords by whacking on the keyboard for a minute, and copy pasting the resulting gibberish into a protected file, which I reference in my code whenever I need to log in. This is how it should work.

Why make it easy? If the password is attached to a limited local account (as they all should be), then why are you typing it in? If it's not, it should have a password whose strength is relative to the value of the data you're protecting.

Satanicpuppy
  • 5,946
  • 1
  • 17
  • 18
2

mySQLs account/access information is stored in a separate file from the actual databases. Thus you can simply drag and drop a different file into its place. With mySQL if they have write access to the relevant part of your filesystem the game is over.

John Robertson
  • 173
  • 1
  • 7
1

The premise that they would already have access is not true. However, if they do have access, and they have a non-privileged account, they could still easily hack the mysql password.

Also, If the server is a live production server, than you are advertising yourself to the internet. that means that at some point, someone WILL try a brute force attack on that server, including mysql, both the port and the user account.

if you care about the data, than basic steps are to have a different root password for the database than for the root user. others have stated that you should also have the lowest permissions possible for users and programs.

a 4 character password can be hacked in minutes, on a pretty cheap computer.

I may just be repeating what other have said, but the more ammo you have for your manager, the better.

weismanm
  • 71
  • 4
1

Many of the real-life-scenario reasons were covered by posts before so I'll add the "philosophy" one. Using strong passwords and taking precautions to tighten you security is a work philosophy. A way of thinking.

Using a weak password now because you're mysql runs only on 127.0.0.1 and only the root user has access to it shows that you don't think ahead. What happens if one day you'll need to grant over-network access to your mysql. Will you remember to cover all the security wholes that you left?

A good admin puts the worst scenario first to the point of paranoia.

Cristian Vrabie
  • 73
  • 9
1

It depends on what rights that user has, you should always lock down things on multiple levels. Also it depends on the data your storing in your database. Also say hypothetically there is a vulnerability in MySQL that allows them to take over the whole database but they just needed to logged into any user account. If your password was strong this would make this vulnerability mute. But this really just depends on your specific case.

ddcruver
  • 229
  • 1
  • 4
  • If the MySQL server is compromised, the user and password are useless. The database files are not encrypted. MySQL users for apps should have localhost/127.0.0.1 as host so that they can't be used remotely or disable remote connections. – Chazy Chaz Jul 25 '17 at 18:45
1

It is very easy to impersonate someone else in mysql. Given a user id with no password (the weakest security) just use mysql -u userid. If it has a password it is a little more difficult, but a weak password makes it easy. If root has no password, I can access root as mysql -u root. I can then do anything inside the database that root can.

Use of host specifications in the security is also a good idea, especially if remote access is or may be available.

Passwords in files can and should be somewhat secured by permissions. Access by root, or the owner of the password file is trivial. If possible encryption of the password on disk should be used. This makes it slightly more difficult to access, but still vulnerable.

BillThor
  • 27,737
  • 3
  • 37
  • 69
0

Well, if you're not hosting the MySQL db yourself, but it's on a hosting service and someone gains access to your Server's IP address, the username and password are your last line of defense. It's always good to have a secure username / password.

John
  • 129
  • 1
  • 1
  • 6
  • Meh! If someone gains access to the server then they can read the user/password from the PHP files... Please, update or delete this answer. – Chazy Chaz Jul 25 '17 at 18:41