| Bug #27761 | Option to disable logins with empty password | ||
|---|---|---|---|
| Submitted: | 11 Apr 2007 15:57 | Modified: | 11 Apr 2007 16:58 |
| Reporter: | Olaf van der Spek (Basic Quality Contributor) | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Security: Privileges | Severity: | S4 (Feature request) |
| Version: | * | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | qc | ||
[11 Apr 2007 15:57]
Olaf van der Spek
[11 Apr 2007 16:26]
MySQL Verification Team
Thank you for the bug report feature request.
[11 Apr 2007 16:54]
Giuseppe Maxia
Does mysql_secure_installation meet your needs? http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html
[11 Apr 2007 16:58]
Olaf van der Spek
No. I wish to disable all logins with an empty password and that script doesn't seem to do that.
[3 Feb 2015 9:40]
Daniël van Eeden
I would also like this. The validate_password plugin is not sufficient as that checks only when generating the password hash. I would like something like this: Set secure_auth=2 (no old pwds, no empty pwds) and then check if a password hash is present at login time. Another option: 3 plugins: mysql_old_password mysql_native_password mysql_empty_password (new) And then make it possible to do an UNINSTALL PLUGIN mysql_empty_password. Also setting options per auth plugin could help here.
[3 Feb 2015 10:04]
Daniël van Eeden
For mysql_native_password the check should probably be placed here: https://github.com/mysql/mysql-server/blob/d75834078b508be1fe0db3d582bb208c6121f1e1/sql/au...
[3 Feb 2015 14:31]
Daniël van Eeden
A quick hack to disallow empty passwords: https://github.com/dveeden/mysql-server/commit/57caa30a1332a11d0d474d90456f81fe0b904db5 This works. I had to start with --skip-grant-tables and set a password for root after the installation.
