Oracle 5.0 Reference Manual page 582

• Use the
-p
case, the client program solicits the password interactively:
shell> mysql -u francis -p db_name
Enter password: ********
The "*" characters indicate where you enter your password. The password is not displayed as you
enter it.
It is more secure to enter your password this way than to specify it on the command line because it is
not visible to other users. However, this method of entering a password is suitable only for programs
that you run interactively. If you want to invoke a client from a script that runs noninteractively, there
is no opportunity to enter the password from the keyboard. On some systems, you may even find
that the first line of your script is read and interpreted (incorrectly) as your password.
• Store your password in an option file. For example, on Unix, you can list your password in the
[client]
[client]
password=your_pass
To keep the password safe, the file should not be accessible to anyone but yourself. To ensure this,
set the file access mode to
shell> chmod 600 .my.cnf
To name from the command line a specific option file containing the password, use the
defaults-file=file_name
example:
shell> mysql --defaults-file=/home/francis/mysql-opts
Section 4.2.3.3, "Using Option
• Store your password in the
Variables".
This method of specifying your MySQL password must be considered extremely insecure and should
not be used. Some versions of
On some systems, if you set MYSQL_PWD, your password is exposed to any other user who runs
ps. Even on systems without such a version of ps, it is unwise to assume that there are no other
methods by which users can examine process environments.
On Unix, the
"mysql Logging"). By default, this file is named
directory. Passwords can be written as plain text in SQL statements such as
and PASSWORD, so if you use these statements, they are logged in the history file. To keep this file
SET
safe, use a restrictive access mode, the same way as described earlier for the
If your command interpreter is configured to maintain a history, any file in which the commands
are saved will contain MySQL passwords entered on the command line. For example,
~/.bash_history. Any such file should have a restrictive access mode.
6.1.2.2. Administrator Guidelines for Password Security
Database administrators should use the following guidelines to keep passwords secure.
MySQL stores passwords for user accounts in the
never be granted to any nonadministrative accounts.
Keeping Passwords Secure
or option on the command line with no password value specified. In this
--password
section of the
.my.cnf
or 600. For example:
400
[240]
Files", discusses option files in more detail.
MYSQL_PWD
ps
client writes a record of executed statements to a history file (see
mysql
file in your home directory:
option, where
file_name
environment variable. See
include an option to display the environment of running processes.
.mysql_history
mysql.user
562
is the full path name to the file. For
Section 2.21, "Environment
Section 4.5.1.3,
and is created in your home
CREATE USER, GRANT,
.my.cnf
bash
table. Access to this table should
--
file.
uses