Bug #25143 mysql.exe client: shows password in command prompt window title
Submitted: 18 Dec 2006 14:37 Modified: 19 Dec 2006 21:27
Reporter: luca nanetti Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.0.27-community-nt OS:Windows (win xp)
Assigned to: CPU Architecture:Any
Tags: clear text, password

[18 Dec 2006 14:37] luca nanetti
Description:
using the syntax:
mysql -h xxx.yyy.zzz.aaa - u whatsoever -pmypassword
the password is shown in clear text in the command prompt window title, among other connection parameters

How to repeat:
NORMAL BEHAVIOUR:
Open a command prompt window;

Try to connect to a mysql server using the "normal", interactive sintax,
mysql -h xxx.yyy.zzz.aaa - u whatsoever -p

You enter the password, that's displayed with asterisks; that's good

You got the mysql prompt, and the titlebar shows the above connection string until -p.

BUGGY BEHAVIOUR:
Open a command prompt window;

Try to connect to a mysql server using the old fashioned sintax,
mysql -h xxx.yyy.zzz.aaa - u whatsoever -pmysecretpassword

You got the mysql prompt, and the titlebar shows the above connection string including the password, written in clear text.

Suggested fix:
subclass the command prompt window, and change the title to something neutral, like "MySQL command line"
[19 Dec 2006 21:27] Valeriy Kravchuk
Thank you for a problem report. Yes, everything works just as you describe. And it may be even possible to what you suggest easily (so I mark this as a reasonable feature request). But:

1. Once again, this is a default behaviour of cmd.exe
2. Other command line clients (Oracle's sqlplus, for example) works the same way
3. Your password will be visible in cmd.exe window for some time, and will appear in commands history, if you put it in plain text as one of the command's parameter and not close the window later
4. Tricks like this add almost nothing to security, if people does not care to NOT include password into the command line.