How to choose a Secure Password in the Real World

Versione italiana

You can find a lot of advices about how to choose your passwords, around the internet. But most of them seem to me bad advices.

First, let’s define what we want. We want to have:

  • Secure passwords;
  • Passwords that we can remember.

The most common advice you will find is: «Always use mixed-case letters AND numbers AND underscores in your passwords». Not a bad advice, but this just improves a bit your passwords. If they are insecure, they will be insecure even if you add numbers. Example: Ab12 is too short. ilikemarypoppins is much more secure. blacksabbathisthebestheavymetalbandintheworld is even better. And I’m sure that you will never forget it.

Then, we can apply the other advice. BlackSabbath_isthebestheavymetalbandintheworld01 is more secure. It’s also impossible to guess for a human.

But we have a problem: humans are hardly able to remember more than 1 password of this kind. And the other advice we find everywhere is: «Use a separate password for each service you are subscribed to». Which is an important advice… really! A lot of small sites collect users password, a lot of social network apps try to guess them. But human memory is not perfect. And you need to remember all of your passwords. How can we do it?

Keep only one base password. And use the name of the service to modify your base password. You have to decide your rule. You can’t use mine – this wouldn’t be secure for me and for you. But it’s easy. Some possible rules:

  • Add the first two letters at the beginning of your password, and the last letter at the end.
  • Add the first letter at the beginning of your password, and the two last letters at the end.
  • Add the last letter at the beginning of your password, and the last one at the end.

For example, let’s apply the first fule:

  • Base password: BlackSabbath_isthebestheavymetalbandintheworld01
  • Service name: Facebook
  • Specific password: faBlackSabbath_isthebestheavymetalbandintheworld01k

Too difficult? Ok, you can drop the ’01’ part. And even the underscore. All the geeks that will try to explain you how unsafe your password is, have a password that is much less secure than yours.


See this strip by XKCD!


Did you lose your MariaDB root password? (GNU/Linux)

Don’t even think to drastical solutions. If you can log into GNU/Linux as root, you can always recover MariaDB root password.

Did you never know the password?

Maybe you installed MariaDB, or you bought a new server, but you don’t know the root password. Don’t panic! It’s ok!

Probably there is no password. Well, this is false; MariaDB asks for a password, and you won’t be able to logon if the password is incorrect; but the password is an empty string. On the CLI, just press enter to access.

Change it: it is insecure. If I had to break into a MariaDB/MySQL installation as root, I would first try an empty password. Don’t let me break into your system so easily!

Ok, you lost the password

Ok, you lost it. This is not the simplest case, but… it’s simple!

1) Log into your GNU/Linux system as the user used by MySQL (usually ‘mysql’) or root.

2) Restart MariaDB with the grant tables disabled:
mysqld_safe --skip-grant-tables --skip-networking

mysqld_safe will shut down mysqld for you.
With --skip-grant-tables, no password is needed to logon.
This is unsafe, so until the password is reset MariaDB should not accept network connections (--skip-networking).

3) Logon with no password:
mysql -u root

4) Set your new password.

Exec these 2 SQL statements and exit the client:

-- change pwd
UPDATE `mysql`.`user`
	SET `Password` = PASSWORD('new_password')
	WHERE `User` = 'root';
-- tell the server to read the grant tables

(replace ‘new_password’ with the new password)

5) Stop mysqld_safe and restart mysqld:

mysqladmin shutdown
/etc/init.d/mysql start

(depending from your system, you may need to replace ‘/etc/init.d‘ with the correct MySQL path)

6) Logoff from you system (because you are now root or someone very powerful).

See also: