Bug #92403 Wrong error message printed when password is too long.
Submitted: 13 Sep 2018 10:37 Modified: 17 Sep 2018 0:51
Reporter: Syed Shah Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.7.23-0ubuntu0.18.04.1 (Ubuntu) OS:Ubuntu
Assigned to: CPU Architecture:Any
Tags: password

[13 Sep 2018 10:37] Syed Shah
Description:
We are able to set passwords for MySQL users to whatever we want, including passwords well over 80 characters long.
The issue is when attempting to login to MySQL using the `-p` argument, it's allocated `char buff[80]` when getting the password.

https://github.com/mysql/mysql-server/blob/4f1d7cf5fcb11a3f84cff27e37100d7295e7d5ca/client...

This means if the password is longer than 80 characters, you can't login by this means and there is no tailored error message, we are just told we put the password in wrong, the same error message that would occur if we in fact put the wrong password. However we didn't put the wrong password at all and it can be very difficult to discover the actual problem.

Logging in via the `--password=...` argument, and logging in via code both work as intended.

How to repeat:
Either:
1. Create a MySQL user that logs in via `mysql_native_password` and give it a password over 80 characters.
2. `ALTER` and existing users password to something over 80 characters.

Next time you attempt to log in via the `-p` argument, it will say the password is incorrect, despite the fact it is correct.

eg: `mysql -u user -p` (enter password on next line)

Suggested fix:
Limit the max length of a users password, this could be configurable so we can't set passwords over this limit in the first place.

If this is configurable, put a comment above the setting that warns users if a user has a password already longer than the new limit, they will lose access to the database until an admin resets it.
[17 Sep 2018 0:51] Bogdan Kecman
Hi,

While mysql client do use only first 80 bytes of a password I doubt this can be considered a bug, more something like a lack of documentation, both as online doc and the mysql client should inform you if you try to use pass longer then 80 bytes that it does not support it. 

Thanks for your report.
Bogdan