ABCs of Password Security

By Lisa Vaas  |  Posted 2005-02-01 Print this article Print

These inexperienced MySQL users must be educated as to the essentials of security. Rule No. 1 is that root password abilities must be disabled. Alternate log-ins give full administrative access with a separate password and also must be changed from the default. Evert Ford is a software developer and MySQL user at Westone Laboratories, in Colorado Springs, Colo. He told me that hes not aware of there being many security-oblivious MySQL users, judging from the time he spends in online forums. "The reason Id say this is that MySQL is an open-source application," he told me. "The feeling Ive gotten in reading the forums and talking to friends is the default behavior for most MySQL administrators is they unpack an application and they automatically reset the passwords."
That is undoubtedly true for the majority of MySQL users, but when youre talking about a database thats up to some 8 million downloads, youre going to get some inexperienced users in the bunch.
Thats fine. As Ford said, weve all got to start someplace, and starting with an open-source database like MySQL is a great place to launch a DBA career. But, if you know of any inexperienced MySQL downloaders, do us all a favor and educate them as to the importance of changing default passwords and of creating strong passwords. Microsoft has a good Web page devoted to creating strong passwords. The gist is simple. A strong password:
  • Is at least seven characters long.
  • Contains letters, numbers and symbols.
  • Has at least one symbol character in the second through sixth positions.
  • Is significantly different from prior passwords.
  • Doesnt contain names or user names.
  • Isnt a common word or name.
Educating the inexperienced is a fine short-term step to address security risks such as MySpooler. In the long term, however, its high time that IT departments got a handle on the open-source databases that are infiltrating their enterprises. Subject them to the same stringent security measures applied to commercial databases and network components. Then, after theyve been formally invited in through the front door and asked to behave as domesticated, commercial databases behave, you can judge whether you want to invite them for permanent residence. Write to me at Associate Editor Lisa Vaas has written about enterprise applications since 1997. Editors Note: This story was updated to correct a statement in one of the headlines regarding how MySpooler spreads. Check out eWEEK.coms for the latest database news, reviews and analysis.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel