MySQL - Passwords in the history

A popular way to get MySQL passwords on a foreign server always has been the ~/.mysql_history file in random home directories.

Since MySQL 5.6.8 this does no longer work: Lines that match any of the patterns

- IDENTIFIED
- PASSWORD

will not enter the readline() history any more. Unfortunately, they won't even enter the in-memory history of readline(), which is kind of annoying when editing statements matching such a line. What you really would want is an on-save filter for this that just prevents these statements from entering the ~/.mysql_history file.

http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-8.html says:

"""
On Unix systems, the mysql client writes statements executed interactively to a history file (see mysql Logging). mysql now ignores for logging purposes statements that match any pattern in the “ignore” list.

By default, the pattern list is "*IDENTIFIED*:*PASSWORD*", to ignore statements that refer to passwords. Pattern matching is not case sensitive.

Within patterns, two characters are special:

? matches any single character.

* matches any sequence of zero or more characters.

To specify additional patterns, use the --histignore command option or set the MYSQL_HISTIGNORE environment variable. (If both are specified, the option value takes precedence.)

The value should be a colon-separated list of one or more patterns, which are appended to the default pattern list.

Patterns specified on the command line might need to be quoted or escaped to prevent your command interpreter from treating them specially.

For example, to suppress logging for UPDATE and DELETE statements in addition to statements that refer to passwords, invoke mysql like this:

shell> mysql --histignore="*UPDATE*:*DELETE*"

(Bug #48287, Bug #11756377)
"""

Also, you might want to check all .mysql_history files all of your systems when you upgrade to MySQL 5.6, and remove passwords from them (or all of these files in total, as part of the upgrade).
Shared publiclyView activity