MySQL MariaDB password reset without knowing the password
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
is this the demo you mentioned a while ago on a rant?
-
@dbeato said in MySQL MariaDB password reset without knowing the password:
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
is this the demo you mentioned a while ago on a rant?
Not recalling which rant in particular, you'd have to remind me. But I don't think so.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato said in MySQL MariaDB password reset without knowing the password:
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
is this the demo you mentioned a while ago on a rant?
Not recalling which rant in particular, you'd have to remind me. But I don't think so.
This one
https://mangolassi.it/topic/1022/what-are-you-doing-right-now/69963 -
@dbeato said in MySQL MariaDB password reset without knowing the password:
Not recalling which rant in particular, you'd have to remind me. But I don't think so.
That's from months ago, not nearly recent, and that was an ESXi/Dell issue I was ranting about.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
So I've been able to reset the root mysql user password, which is great, so now that's secured and functional. Now I just need to change the database user password and update the config file for said new password.
But to figure out how the password is hashed. . .
That should be easy as above... Change the DB user's password, and then update the config file in the application to use the right password.
Did that not work?
-
@dafyre said in MySQL MariaDB password reset without knowing the password:
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
So I've been able to reset the root mysql user password, which is great, so now that's secured and functional. Now I just need to change the database user password and update the config file for said new password.
But to figure out how the password is hashed. . .
That should be easy as above... Change the DB user's password, and then update the config file in the application to use the right password.
Did that not work?
It didn't because the config file has the password hashed, so I'm looking into how that is hashed from the dev so I can update it there.
I think this topic is closed just need to figure out the program side config file.
-
Which, the password is hashed in mysql, so it's not in plain text, and from that it gets hashed and put into the config file that the program uses.
-
Okay so the password is actually in plain text in the config file. . . so now that I know that I can update the password and go from there.
And here I thought it was hashed. . .
-
Which also means, now that I know what the password is, I don't need to change it. . .
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
Okay so the password is actually in plain text in the config file. . . so now that I know that I can update the password and go from there.
And here I thought it was hashed. . .
This is normal usage for applications. There is no point in storing a password any other way.
If you need to log in to a system, you send the username and password. Nothing ever sends a hashed password to login. Just WTF led to even thinking that?
So because of that why store it in any weird form? It will have to be reversed into the raw password anyway to log in.
-
These log ins are "secure" assuming they are only allowed to connect via lcoalhost and such.
As is obvious by your acquisition of the root password, there is no point in any thing else, as once console access is obtained, the system is 100% open to any attacker anyway.
-
@JaredBusch said in MySQL MariaDB password reset without knowing the password:
Just WTF led to even thinking that?
The password looked like a hash, thus I was investigating it. It makes sense, now that I've gone through the entire process, I don't deal with mysql in my regular day to day.
Just still seems weird to have the password in plaintext on in a config file.
-
@JaredBusch said in MySQL MariaDB password reset without knowing the password:
These log ins are "secure" assuming they are only allowed to connect via lcoalhost and such.
They are limited to the localhost, so yeah it's all set now.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@JaredBusch said in MySQL MariaDB password reset without knowing the password:
Just WTF led to even thinking that?
The password looked like a hash, thus I was investigating it. It makes sense, now that I've gone through the entire process, I don't deal with mysql in my regular day to day.
Just still seems weird to have the password in plaintext on in a config file.
No, you seem weird for thinking such. It is standard, and it has nothing to do with MySQL or Linux. The exact same can be seen with IIS connecting to MS SQL. or any other example you can think of.
Here is something on an Azure web service connecting to an Azure SQL database.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
Just still seems weird to have the password in plaintext on in a config file.
has to be somewhere, how else can an application connect? Look at WordPress, for example, you have to enter the password into the application so that the application can connect to the database. Otherwise, the database would have to have no password protection at all or you'd need a human to log in and enter the password every time a database connection was needed (which is normally thousands of times a minute.)
