Bug #27761 Option to disable logins with empty password
Submitted: 11 Apr 2007 15:57 Modified: 11 Apr 2007 16:58
Reporter: Olaf van der Spek (Basic Quality Contributor) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:* OS:Any
Assigned to: CPU Architecture:Any
Tags: qc

[11 Apr 2007 15:57] Olaf van der Spek
Description:
Hi,

Could you add an option to disable logins with empty passwords to avoid any accidental security holes?

How to repeat:
-
[11 Apr 2007 16:26] MySQL Verification Team
Thank you for the bug report feature request.
[11 Apr 2007 16:54] Giuseppe Maxia
Does mysql_secure_installation meet your needs?

http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html
[11 Apr 2007 16:58] Olaf van der Spek
No. I wish to disable all logins with an empty password and that script doesn't seem to do that.
[3 Feb 2015 9:40] Daniël van Eeden
I would also like this. The validate_password plugin is not sufficient as that checks only when generating the password hash.

I would like something like this:
Set secure_auth=2 (no old pwds, no empty pwds) and then check if a password hash is present at login time.

Another option:
3 plugins:
mysql_old_password
mysql_native_password
mysql_empty_password (new)

And then make it possible to do an UNINSTALL PLUGIN mysql_empty_password.

Also setting options per auth plugin could help here.
[3 Feb 2015 10:04] Daniël van Eeden
For mysql_native_password the check should probably be placed here:

https://github.com/mysql/mysql-server/blob/d75834078b508be1fe0db3d582bb208c6121f1e1/sql/au...
[3 Feb 2015 14:31] Daniël van Eeden
A quick hack to disallow empty passwords:
https://github.com/dveeden/mysql-server/commit/57caa30a1332a11d0d474d90456f81fe0b904db5

This works. I had to start with --skip-grant-tables and set a password for root after the installation.