Bug #66714 Allow password verification dictionary to use /usr/share/dict/words
Submitted: 5 Sep 2012 22:03
Reporter: Todd Farmer (OCA) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:5.6.6 OS:Any
Assigned to: CPU Architecture:Any

[5 Sep 2012 22:03] Todd Farmer
The password validation dictionary file contains several restrictions which make it difficult to use /usr/share/dict/words:

1.  Limitation to files < 1MB in size
2.  Requirement to specify all dictionary words in lower case.

On Oracle Linux 6.3, the default dictionary is 4.8M, and contains mixed-case words.

Because the contents are cached, it seems it would be reasonable to accept mixed-case strings, transforming them to lower-case as they are read, and retaining the existing case-insensitive matching.

During cache loading, any words less than 4 characters in length (minimum matching criteria) can be ignored.

Users should be able to specify a larger dictionary as needed, although we might choose to warn when the cache is loaded and the contents exceed a certain threshold, potentially slowing execution of PASSWORD() function.

How to repeat:
See above.

Suggested fix:
1.  Relax size limitation to account for larger dictionaries, perhaps warning when threshold is exceeded.
2.  Convert all strings to lower-case on loading the validation cache.
3.  Ignore words in dictionary under 4 characters in length.