Question :
I still playing with my own DB trying to learn and saw this:
-
I could change the root password without any problem at all… If I’m in the server I can create an algorithm to start testing password and and someday I will find it, I mean:
Web-Services-iMac-2:~ jbolivar$ mysqladmin -utest1 -p**SOME_THING_HERE** password test1. -
is it ok to change password using this???:
update table mysql.user set password=PASSWORD(‘test’) where user=’test1′;
beside that if I create a dictionary table (a table with all possible words) and apply PASSWORD(“word”) I can make a join and find the value of any pass, right?.
Can you give me your opinion about my analysis?
Answer :
Before you continue playing with mysqladmin, you need to make sure your installation is not intentionally giving away access.
For starters, can you login to mysql like this?
# mysql <hit enter>
If you can get just like that, run this command:
SELECT USER(),CURRENT_USER();
- USER() reports how you attempted to authenticate in MySQL
- CURRENT_USER() reports how you were allowed to authenticate in MySQL
If CURRENT_USER() return a user and host where the user is blank, then you were allowed in as an anonymous user. At that point, you can remove anonymou users with this:
DELETE FROM mysql.user WHERE user='';
FLUSH PRIVILEGES;
Now, locate all users with no password with this:
SELECT user,host,password FROM mysql.user;
If any users have no password, you can issue new passwords for user using mysqladmin or you could just assign them as follows:
UPDATE mysql.user SET password=PASSWORD('whateverpassword') WHERE user='...' AND host='...';
FLUSH PRIVILEGES;
Now, check for remote users
SELECT user,host FROM mysql.user WHERE host='%';
If you see any, run this:
DELETE FROM mysql.user WHERE host='%';
FLUSH PRIVILEGES;
Make sure when all is said and done that at least root@localhost and/or root@127.0.0.1 exist and have a password
SELECT user,host,password FROM mysql.user WHERE user='root';
I could probably go on. Here are other posts I have about stuff like this: