Encrypt a password the same way mysql does
Solution 1
Well, the trivial (perhaps cheating) way would be to run:
mysql -NBe "select password('right')"
This will produce a password using whatever password hashing scheme your version of mysql uses. [EDIT: added -NB, which gets rid of the column names and ascii table art.]
Solution 2
Some one-liners:
MySQL (may require you add -u(user) -p):
mysql -NBe "select password('right')"
Python:
python -c 'from hashlib import sha1; print "*" + sha1(sha1("right").digest()).hexdigest().upper()'
Perl:
perl -MDigest::SHA1=sha1_hex -MDigest::SHA1=sha1 -le 'print "*". uc sha1_hex(sha1("right"))'
PHP:
php -r 'echo "*" . strtoupper(sha1(sha1("right", TRUE))). "\n";'
Ruby:
ruby -e 'require "digest/sha1"; puts "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest("right")).upcase'
All output:
*920018161824B14A1067A69626595E68CB8284CB
Solution 3
One more using the shell:
echo -n 'right' | sha1sum | xxd -r -p |\
sha1sum | tr '[a-z]' '[A-Z]' | awk '{printf "*%s", $1}'
Explanation:
echo -nprint without linebreaksha1sumfirst SHA1xxd -r -punhex the hashsha1sumsecond SHA1tr '[a-z]' '[A-Z]'convert to uppercaseawk '{print "*" $1}'add leading *
More details:
Between 2. and 3. an optional awk '{printf "%s", $1}' step could be insterted for newline- and hyphen-removal. But xxd will ignore them anyway (Thanks to dave_thompson_085).
Furthermore step 5 and 6 could be done at once by replacing them with {print "*" toupper($1)} (Thanks to dave_thompson_085).
Solution 4
It still kind of blows my mind that MySQL doesn't bother obfuscating passwords on the command line and in logs. And that's the only reason I'm adding an answer rather than just commenting on @Gilles answer.
So, of course, you could just log into MySQL as an admin and set a new password for your blayo user, as @patrix suggested.
However, the standard way to do that is by using MySQL's password() function, which takes a plaintext password as an argument (seriously?).
If you do that, you leave the plaintext version of your MySQL user's password sitting around in your bash history and in your MySQL logs, for easy retrieval later on by whoever manages to get access to those log files.
Wouldn't it be better to have a little utility that would prompt for the password, without echoing it to the screen or to your logs, then provide you with the resulting MySQL-compatible hash?
So, modifying @Gilles's answer just a bit, how about a little shell script that uses Python, like the following. You could easily modify this to run a SQL statement against your MySQL database to set the password all at once. But even without going that far, just copy and paste the resulting hash into a SQL statement to update the users table:
#!/bin/bash
mysqlpwd=$(/usr/bin/python -c 'from hashlib import sha1; import getpass; print "*" + sha1(sha1(getpass.getpass("New MySQL Password:")).digest()).hexdigest()')
echo $mysqlpwd
Solution 5
The hash is sha1(sha1(password)). Since there is no salt (which is a grave security flaw), you can look up the hash in a table.
With just POSIX tools plus sha1sum from GNU coreutils or BusyBox, sha1(sha1(password)) is annoying to compute because the sha1sum command prints out the digest in hexadecimal and there is no standard tool to convert to binary.
awk "$(printf %s 'right' | sha1sum |
sed -e 's/ .*//' -e 's/../, 0x&/g' \
-e 's/^/BEGIN {printf "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"/' \
-e 's/$/; exit}/')" | sha1sum
Python has standard digests in its standard libraries, so it's a simple one-liner.
printf %s 'right' |
python -c 'from hashlib import sha1; import sys; print sha1(sha1(sys.stdin.read()).digest()).hexdigest()'
Or with the password inside the one-liner:
python -c 'from hashlib import sha1; print sha1(sha1("right").digest()).hexdigest()'
Related videos on Youtube
04 : 30
13 : 14
09 : 04
21 : 35
05 : 24
Philippe Blayo
One of the best experience in my life has been to enjoy pair programming with developers that value clean code and simple design. It's called eXtreme Programming and I hope one day I'll have the opportunity to do it again.
Updated on September 18, 2022Comments
-
Philippe Blayo almost 2 years
I've created a user ... but forgotten the password
mysql> create user 'blayo'@'%' identified by 'right';
Which Linux command line tool can encrypt the password the same way mysql 5.5 does ?
mysql> select Password,User from mysql.user ------------------------------------------+-------+ *920018161824B14A1067A69626595E68CB8284CB | blayo |
...to be sure I use the right one
$ tool right *920018161824B14A1067A69626595E68CB8284CB
-
Craig Tullis almost 10 yearsAnd, handily, this will store your shiny new password in clear text both in your MySQL log and in your bash account history log. -
Craig Tullis almost 10 yearsI love this answer in spirit, but it isn't quite working. When I hit the enter key, it still wants to keep reading input instead of moving on. Also, the input echos back to the screen, which might not be desirable. How about something like this, though? unix.stackexchange.com/a/155583/37401
-
Gilles 'SO- stop being evil' almost 10 years@Craig How to read interactive input is beyond the scopre of the question. I assume that the script already has the password; usually it's stored in a file, it's rare to type a database password interactively. If you want to read interactive input, you can use thereadshell builtin to read a line; runstty echofirst if you want to turn off echo andssty +echoto turn it back on. In Python, you can use thegetpassmodule. -
Craig Tullis almost 10 years@HalosGhost; what was the edit about? It didn't change anything? ;-)
-
Jakob Bennemann almost 10 yearsIt enforced syntax highlighting (as noted in the edit summary) and made obvious by the actual text of the edit.
-
Craig Tullis almost 10 yearsAh, so. Honestly didn't realize what you'd done (you obviously added the
<!-- language: lang-bsh -->line). Handy! I like it. Thanks! -
dave_thompson_085 over 8 years
awkcan do the uppercase, and outputting an incomplete (last) line to terminal is incovenient:.. | sha1sum | awk '{print "*" toupper($1)}'. And you don't need to worry about the NL and even the hyphen on thexxd -r -p, they're ignored. -
mwfearnley about 7 yearsThis seems like it would be more for the case that you can't log in at all, rather than just as a specific user.
-
mwfearnley about 7 yearsThanks, I've linked to your answer in serverfault.com/a/846281/236916
-
ThorSummoner over 5 years@alexjhart Can i get an update for the new mysql 5.7.8 password hashing algorithm :) ? (maybe a little detail on how you found this out too?)
-
Murmel over 5 years@Craig To prevent both you can prepend a ' ' (space) right before the
mysqlto hide it from the bash history and you can useSET sql_log_off=ON;right before theSELECT ...to hide it from the MySQL log. -
Craig Tullis over 5 years@Murmel thanks for the update! Off course, it should default to not logging passwords. Security should always be the default setting.
-
Murmel over 5 years@Craig To be fair, this is already done by mysql (v5.7, the last version this function exists, got removed with v8.0.11)) on the: 1. clientside (affecting
.mysql_history) ignoring all statements matching*PASSWORD*and 2. serverside for several stmts (exceptSELECT). See: MySQL 5.7 Manual - Passwords and Logging and MySQL 5.7 - Manual - mysql Client Logging -
Craig Tullis about 5 yearsThat's good feedback! Unfortunately, there are still quite a few people who for various reasons (myself included) are still stuck using mysql versions older than 5.7.
-
o.v over 3 yearsIt prints
*(STDIN)= 920018161824B14A1067A69626595E68CB8284CBin Debian bash. But +1 for an intuitive alternative way. -
Chris Martin over 3 years@o.v thanks for commenting that issue - fixed above with the
sedcommand
