MySQL MariaDB password reset without knowing the password
-
Short, short version.
update mysql.user set password=password('dumbpassword') where user='dumbuser';
-
You could use
sudo mysql -u root
-
Did you get it reset?
-
I was able to change the password, but it doesn't appear to allow the program to that uses this database to work.
What am I missing?
-
So I've been able to reset the root mysql user password, which is great, so now that's secured and functional. Now I just need to change the database user password and update the config file for said new password.
But to figure out how the password is hashed. . .
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
So I've been able to reset the root mysql user password, which is great, so now that's secured and functional. Now I just need to change the database user password and update the config file for said new password.
But to figure out how the password is hashed. . .
why, just change it on the system, do you need to enter the hashed password because there is no other way to change the application Database configurations?
-
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
is this the demo you mentioned a while ago on a rant?
-
@dbeato said in MySQL MariaDB password reset without knowing the password:
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
is this the demo you mentioned a while ago on a rant?
Not recalling which rant in particular, you'd have to remind me. But I don't think so.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato said in MySQL MariaDB password reset without knowing the password:
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
@dbeato the system was setup as a demo and was moved to production. The person who set up the environment is no longer and I'm just trying to close any holes that may exist.
The system isn't super critical, but it would be nice to have all of this aligned.
is this the demo you mentioned a while ago on a rant?
Not recalling which rant in particular, you'd have to remind me. But I don't think so.
This one
https://mangolassi.it/topic/1022/what-are-you-doing-right-now/69963 -
@dbeato said in MySQL MariaDB password reset without knowing the password:
Not recalling which rant in particular, you'd have to remind me. But I don't think so.
That's from months ago, not nearly recent, and that was an ESXi/Dell issue I was ranting about.
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
So I've been able to reset the root mysql user password, which is great, so now that's secured and functional. Now I just need to change the database user password and update the config file for said new password.
But to figure out how the password is hashed. . .
That should be easy as above... Change the DB user's password, and then update the config file in the application to use the right password.
Did that not work?
-
@dafyre said in MySQL MariaDB password reset without knowing the password:
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
So I've been able to reset the root mysql user password, which is great, so now that's secured and functional. Now I just need to change the database user password and update the config file for said new password.
But to figure out how the password is hashed. . .
That should be easy as above... Change the DB user's password, and then update the config file in the application to use the right password.
Did that not work?
It didn't because the config file has the password hashed, so I'm looking into how that is hashed from the dev so I can update it there.
I think this topic is closed just need to figure out the program side config file.
-
Which, the password is hashed in mysql, so it's not in plain text, and from that it gets hashed and put into the config file that the program uses.
-
Okay so the password is actually in plain text in the config file. . . so now that I know that I can update the password and go from there.
And here I thought it was hashed. . .
-
Which also means, now that I know what the password is, I don't need to change it. . .
-
@DustinB3403 said in MySQL MariaDB password reset without knowing the password:
Okay so the password is actually in plain text in the config file. . . so now that I know that I can update the password and go from there.
And here I thought it was hashed. . .
This is normal usage for applications. There is no point in storing a password any other way.
If you need to log in to a system, you send the username and password. Nothing ever sends a hashed password to login. Just WTF led to even thinking that?
So because of that why store it in any weird form? It will have to be reversed into the raw password anyway to log in.
-
These log ins are "secure" assuming they are only allowed to connect via lcoalhost and such.
As is obvious by your acquisition of the root password, there is no point in any thing else, as once console access is obtained, the system is 100% open to any attacker anyway.
-
@JaredBusch said in MySQL MariaDB password reset without knowing the password:
Just WTF led to even thinking that?
The password looked like a hash, thus I was investigating it. It makes sense, now that I've gone through the entire process, I don't deal with mysql in my regular day to day.
Just still seems weird to have the password in plaintext on in a config file.
-
@JaredBusch said in MySQL MariaDB password reset without knowing the password:
These log ins are "secure" assuming they are only allowed to connect via lcoalhost and such.
They are limited to the localhost, so yeah it's all set now.