Chapter 45. MySQL User Account Management

Table of Contents

MySQL Usernames and Passwords
When Privilege Changes Take Effect
Setting Up the Initial MySQL Privileges
Adding New Users to MySQL
Deleting Users from MySQL
Limiting user resources
Setting Up Passwords
Keeping Your Password Secure
Using Secure Connections
Basics
Requirements
Setting Up SSL Certificates for MySQL
SSL GRANT Options
SSL Command-line Options
Connecting to MySQL Remotely from Windows with SSH

MySQL Usernames and Passwords

There are several distinctions between the way usernames and passwords are used by MySQL and the way they are used by Unix or Windows:

  • Usernames, as used by MySQL for authentication purposes, have nothing to do with Unix usernames (login names) or Windows usernames. Most MySQL clients by default try to log in using the current Unix user name as the MySQL username, but that is for convenience only. Client programs allow a different name to be specified with the -u or --user options. This means that you can't make a database secure in any way unless all MySQL usernames have passwords. Anyone may attempt to connect to the server using any name, and they will succeed if they specify any name that doesn't have a password.

  • MySQL usernames can be up to 16 characters long; Unix usernames typically are limited to 8 characters.

  • MySQL passwords have nothing to do with Unix passwords. There is no necessary connection between the password you use to log in to a Unix machine and the password you use to access a database on that machine.

  • MySQL encrypts passwords using a different algorithm than the one used during the Unix login process. See the descriptions of the PASSWORD() and ENCRYPT() functions in Encryption functions. Note that even if the password is stored 'scrambled', and knowing your 'scrambled' password is enough to be able to connect to the MySQL server! From version 4.1, MySQL employs a different password and login mechanism that is secure even if TCP/IP packets are sniffed and/or the mysql database is captured.

MySQL users and their privileges are normally created with the GRANT command. See GRANT.

When you login to a MySQL server with a command-line client you should specify the password with --password=your-password. See Connecting.

mysql --user=monty --password=guess database_name

If you want the client to prompt for a password, you should use --password without any argument

mysql --user=monty --password database_name

or the short form:

mysql -u monty -p database_name

Note that in the last example the password is not 'database_name'.

If you want to use the -p option to supply a password you should do so like this:

mysql -u monty -pguess database_name

On some systems, the library call that MySQL uses to prompt for a password will automatically cut the password to 8 characters. Internally MySQL doesn't have any limit for the length of the password.