Naming convention for databases and database users for access by a web application?

web-applications database-administration

When installing a web application where a single user is used to talk to a single database (say MySQL, but this could apply to other RDBMSes also), you often have a sequence of events such as this:

CREATE DATABASE wordpress CHARACTER SET utf8;
GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'hunter2';

Some guides suggest using a different username to the database name, where others suggest using a different name, such as 'appuser' for the user, and 'app' for the database name.

Are there any obvious technical downsides to using the same name? Is there anywhere you're likely to create confusion by doing this?

Edit: I'm aware that this is questionable security practice, and you should name your databases fhqwhgads and your user flobadob; however, (a) obscurity is a questionable tool, and (b) this is the example every webapp gives in their documentation.


The downside of using the same user name as the database name is simply that it's far too obvious. If you have a look at access logs you will see attackers regularly try that combination and if you get the name right you're already part way in. Other than that it makes little difference what name you use, although there is something to be said for not using dictionary words either.


Obfuscated databases provide about 15-30sec of defense in the event of a compromise and about 1234783562387561235 hours of frustration.

I'm of the opinion that you tie the role in to the username. Something like:

app_role

Or:

wordpress_www
wordpress_dba
wordpress_cron

If I ever see a wordpress user, I know something's not right. Using the *_dba convention helps drive home the point that web users should not own database objects, only the *_dba's should. For users, you just use their site username. Simple conventions like this make administering permissions easy, especially when coupled with SCHEMAs.

Here's a sample project that I'm working on that does exactly this:

https://github.com/sean-/flask-skeleton/blob/master/sql/create_roles.sql

https://github.com/sean-/flask-skeleton/blob/master/sql/perms.sql


I think the downsides are not at a technical level, but more of an administration and/or security level. You could think along the lines that usernames == database name is simple for administration and knowing what accounts access what databases, but it also makes it easier on an intruder to be able to easily guess at valid account names with a better ratio of success. Typically I suffix the account with the purpose and application. Something like _wp would reduce the intuitive access and yet still be visible for a database administrator to quickly determine the nature of the account.

Related

What is a "VPN Consolidator"
Gradle build errors after updating Android Studio
Where is the webmin port number stored? [closed]
How to rewrite the protected/private route using TypeScript and React-Router 4, 5 or 6?
Websockets Server with Fault-Tolerance and Durable Message Store
How to install the dynamic content compression component of IIS (both 6 and 7) non interactively?
IIS 7 can't run ASP.NET MVC application due to missing System.Web.Helpers
Stacking 2960 with either 3560 or 3750?
ucarp: promote slave to master
WPF - how to hide menu item if command's CanExecute is false?
PHP is_null() and ==null [duplicate]
NotImplementedError: Cannot convert a symbolic Tensor (2nd_target:0) to a numpy array