EmergencyEMERGENCY? Get 24/7 Help Now!

Get MySQL Passwords in Plain Text from .mylogin.cnf

 | September 7, 2016 |  Posted In: MySQL, Security

PREVIOUS POST
NEXT POST

MySQL PasswordsThis post will tell you how to get MySQL passwords in plain text using the .mylogin.cnf file.

Since MySQL 5.6.6, it became possible to store MySQL credentials in an encrypted login path file named .mylogin.cnf, using the mysql_config_editor tool. This is better than in plain text anyway.

What if I need to read this password in plain text?

Perhaps because I didn’t save it? It might be that I don’t need it for long (as I can reset it), but it’s important that I get it. 😎

Unfortunately (or intentionally), mysql_config_editor doesn’t allow it.

I wrote this blog post because I just faced this issue. I needed to get the password out of there. Surprisingly, it is simpler than I thought. While looking for an answer I found that some people created scripts to decrypt it (as it uses the AES-128 ECB algorithm), sometimes getting the MySQL code source or simply using a scripting language.

However, it turns to be very simple. mysql_config_editor does not provide this option, but my_print_defaults does!

my_print_defaults is a standard tool in the MySQL server package. Keep your passwords safe!

PREVIOUS POST
NEXT POST
Roman Vynar

Lead Platform Engineer at Percona. Developing monitoring tools, automated scripts and leading Percona Monitoring and Management project.

2 Comments

  • Hi Roman, Are there any implications to Percona MySQL (we are using 5.6 & 5.7 both) if I disable (600) “my_print_defaults” or completely remove it from a running system? I can find other ways of helping users who forget their passwords, and I am happier with a secure password vault for the important ones. This seems far too risky to leave lying around. Thanks in advance.

  • Ed,
    The main point here is what such obfuscated password is not secure password. Even if you do not have my_print_default program locally someone can take this encrypted data and do it on his own system.

    .mylogin.cnf is not secure password store and you should not think about it as such. It just does not show the password in the plain text but anyone with basic technical skill can recover it.

Leave a Reply