Manage MySQL Users in Navicat Premium - Part 1: Protecting the Root Account

Part 1: Securing the Root Account

Managing database users is one of the primary responsibilities of a database administrator (DBA). Coordinating how users in an organization access databases often requires many separate tasks, including adding new users, blocking access for users who have left the organization, and assisting users who cannot log in.

The mysqladmin command-line client included with MySQL for performing administrative operations. You can use it to check the server's configuration and current state, create and delete databases, etc. For DBAs who want slightly more complex functions, Navicat for MySQL and Navicat Premium already include all the functions needed to manage MySQL users, so you don't need to start a separate command window. In this series, we'll explore how to perform common user management tasks in Navicat. This article describes the three default MySQL user accounts and security for the root user.

Although we use Navicat Premium in this article. But keep in mind that Navicat for MySQL includes the same functionality, but it is specifically for MySQL. Learning by trial? Click here to download a 14-day full-featured trial version of Navicat Premium.

default user account

User management functions can be accessed via the "Users" button. Clicking it will display all registered users of the MySQL connection in the Objects tab.

The image above shows the default user account. During installation, MySQL creates three user accounts that should be considered reserved:

'root'@'localhost: superuser. This account has full permissions and can perform any action.
Strictly speaking, this account name is not reserved. Because you can rename the root account to something else to avoid exposing a highly privileged default account with a well-known name. In a production environment, you should rename the root account!
'mysql.sys'@'localhost': used as DEFINER for sys schema objects. Using the mysql.sys account avoids problems when the DBA renames or removes the root account. This account is locked and cannot be used for client connections.
'mysql.session'@'localhost': used internally by the plugin to access the server. This account is locked and cannot be used for client connections.

Edit user details

If we want to view and/or modify a user's details, we can double click on it or highlight it in the Objects tab and click the Edit User button on the object toolbar. This will open the editor tab for that user. It contains five tabs, namely "General", "Advanced", "Server Privileges", "Permissions" and "SQL Preview". We'll cover these tabs in more detail in the next article, but for now, let's look at how to change some data on the General tab to protect the root account.

1. As we all know, the "root" account is a super user. Therefore, our first action should be to change it to something less intuitive, such as "secure_admin_99". Adding numbers makes guessing more difficult.

2. Select the sha256_password plugin.

In all versions of MySQL Server since version 5.5, the default password mechanism is to use the mysql_native_password authentication plugin (enabled by default). This mechanism utilizes SHA1 hashing. While this algorithm was considered secure in the days of MySQL 4.1, it is now known to be an exploitable security weakness within a few years.

The sha256_password plugin was introduced in MySQL Server 5.6, providing additional security focused on password storage. It does this by addressing two key elements that make mysql_native_password vulnerable: the hash computation becomes more expensive or time-consuming, and the output is random. Additionally, use of the stronger SHA-256 algorithm removes the dependency on the vulnerable SHA1 algorithm.

3. Provide a strong password.
A strong password should be difficult to guess or crack. A good password has the following characteristics:

- Must be at least 8 characters long.
- Do not include your username, real name, or company name.
- Must not contain complete words.
- Significantly different from previous passwords.
- Contains uppercase letters, lowercase letters, numbers and symbols.

4. Provide a "Password Expiration Policy".

By specifying an interval, we can have MySQL prompt users to change their passwords after a set number of days, such as 90 days.

Here is the General tab with the updated fields:

Click the "Save" button to update account settings.

notice

In the next section, we will learn how to create new users and assign permissions. If you want to try this feature, click here to download the 14-day full-featured trial version of Navicat Premium.