Bug #27761 Option to disable logins with empty password
Submitted: 11 Apr 2007 15:57 Modified: 11 Apr 2007 16:58
Reporter: Olaf van der Spek (Basic Quality Contributor) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:* OS:Any
Assigned to: CPU Architecture:Any
Tags: qc

[11 Apr 2007 15:57] Olaf van der Spek

Could you add an option to disable logins with empty passwords to avoid any accidental security holes?

How to repeat:
[11 Apr 2007 16:26] MySQL Verification Team
Thank you for the bug report feature request.
[11 Apr 2007 16:54] Giuseppe Maxia
Does mysql_secure_installation meet your needs?

[11 Apr 2007 16:58] Olaf van der Spek
No. I wish to disable all logins with an empty password and that script doesn't seem to do that.
[3 Feb 2015 9:40] Daniël van Eeden
I would also like this. The validate_password plugin is not sufficient as that checks only when generating the password hash.

I would like something like this:
Set secure_auth=2 (no old pwds, no empty pwds) and then check if a password hash is present at login time.

Another option:
3 plugins:
mysql_empty_password (new)

And then make it possible to do an UNINSTALL PLUGIN mysql_empty_password.

Also setting options per auth plugin could help here.
[3 Feb 2015 10:04] Daniël van Eeden
For mysql_native_password the check should probably be placed here:

[3 Feb 2015 14:31] Daniël van Eeden
A quick hack to disallow empty passwords:

This works. I had to start with --skip-grant-tables and set a password for root after the installation.