As Todd Farmer points out in Understanding mysql_config_editors security aspects, the new .mylogin.cnf file generated by mysql_config_editor does not securely store the password used to login to the database. It just obfuscates it.
The format of the file is as follows (as of MySQL 5.6.7-RC):
The key used by AES 128 needs to be CHAR(16), but the function accepts any string as a key generation matter. It generates the key from the key generation matter by xor-ing the key generation matter onto itself in a 16 byte loop, starting with a buffer of NULL bytes.
In Code:
Continue reading ".mylogin.cnf password recovery"
The format of the file is as follows (as of MySQL 5.6.7-RC):
- 4 Bytes Zero (Version Information)
- 20 Bytes Key Generation Matter
- Repeated:
- 4 Bytes Length information
- Length bytes crypted matter. The crypt is done using the AES ENCRYPT function, which in itself is insecure: It is an aes-128-ecb with a NULL IV.
The key used by AES 128 needs to be CHAR(16), but the function accepts any string as a key generation matter. It generates the key from the key generation matter by xor-ing the key generation matter onto itself in a 16 byte loop, starting with a buffer of NULL bytes.
In Code:
Continue reading ".mylogin.cnf password recovery"