Tuesday, May 29, 2012

Secure passwords being insecure

Secure passwords being insecure:
If you follow the general advices to create secure password the following ones seem to be secure, right?

  • s11P$||!sh&2



  • pr0&!!ke0



  • 3kj39|!381


    • The answer to the question is, “it depends on how you use them:)
    Notice that these passwords all contain multiple exclamation points and ampersands which are normally special characters for your shell. The people tend to copy and paste them directly to the terminal but that can lead to some non-predictable behavior and therefore cause big problems depending on the character combination.
    Let’s execute the previous examples:
    Login to mysql:

    root@debian:~# mysql -uroot -ps11P$||!sh&2

    mysql -uroot -ps11P$||shutdown -r now&2

    [1] 1758

    -bash: 2: command not found

    root@debian:~# ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
    Broadcast message from root@debian (pts/0) (Sun May 27 13:14:34 2012):
    The system is going down for reboot NOW!

    || is an OR condition and bash tries to execute the last part !sh that points to the “shutdown -r now” command from the history.
    Ok, login to mysql is not very safe. We’re going now to check the replication data:

    root@debian:~# pt-table-checksum u=root,p=pr0&!!&ke0

    pt-table-checksum h=localhost,u=root,p=pr0&shutdown -r now&ke0

    [1] 1736

    [2] 1737

    -bash: ke0: command not found

    root@debian:~#

    Broadcast message from root@debian (pts/0) (Sun May 27 13:46:08 2012):
    The system is going down for reboot NOW!

    In this case we use the combination !! so Bash tries to run the last command, “shutdown -r now“.
    Let’s try to run some backups :)

    root@debian:~# innobackupex --password=3kj39|!381

    innobackupex --password=3kj39|/etc/init.d/mysql restart
    Stopping MySQL database server: mysqldinnobackupex: Missing command line argument

    .

    Starting MySQL database server: mysqld.

    In this last example, !381 asks Bash to run the command with number 381 in the history, that is: “/etc/init.d/mysql restart
    These are only a small number of examples. Of course, I’m not telling you to use simple passwords. The lesson that we can learn here is “don’t paste your password on the shell“. First because they’re going to be logged to Bash’s history file and second because some combinations can cause big problems.
    In order to avoid these problems:

  • Don’t run commands from the root account. There are no small mistakes when you make them from root.



  • Use .my.cnf in your home directory to avoid typing a password. Protect the file with permission mode 0600.



  • Use the -p option with mysql and its utilities. This makes the programs prompt you for a password from the tty.


    • PlanetMySQL Voting:
    Vote UP /
    Vote DOWN

    DIGITAL JUICE
    Posted by at

    No comments:

    Post a Comment

    Thank's!

    Subscribe to: Post Comments (Atom)