Bug #27243 mysqladmin password should accept new password on standard input
Submitted: 18 Mar 2007 9:11 Modified: 8 Feb 2009 17:33
Reporter: Alex Tribble Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.0.26 OS:Linux (Gentoo AMD64)
Assigned to: CPU Architecture:Any

[18 Mar 2007 9:11] Alex Tribble 
Description:
From http://dev.mysql.com/doc/refman/5.1/en/mysqladmin.html under the "--password" section:

"Specifying a password on the command line should be considered insecure."

However, the password command implemented by mysqladmin ONLY allows for passwords to be specified on the command line:

mysqladmin password new-password

This will, in the most common set of configurations used on most modern Linux systems, write the new password in plaintext to an often-unsecured shell history file in the user's home directory. Further, unless you've gone to the length of modifying the kernel, the complete command-line of most processes is available via the /proc filesystem, and the w command.

How to repeat:
Try:
man mysqladmin

And attempt to reconcile the conflicting statements therein.

Suggested fix:
A command variant,
  mysqladmin password
that accepts the new password on standard input is suggested.
[8 Feb 2009 17:33] Valeriy Kravchuk 
Duplicate of Bug #5724.