Bug #92403 Wrong error message printed when password is too long.
Submitted: 13 Sep 2018 10:37 Modified: 17 Sep 2018 0:51
Reporter: Syed Shah Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.7.23-0ubuntu0.18.04.1 (Ubuntu) OS:Ubuntu
Assigned to: CPU Architecture:Any
Tags: password

[13 Sep 2018 10:37] Syed Shah 
Description:
We are able to set passwords for MySQL users to whatever we want, including passwords well over 80 characters long.
The issue is when attempting to login to MySQL using the `-p` argument, it's allocated `char buff[80]` when getting the password.

https://github.com/mysql/mysql-server/blob/4f1d7cf5fcb11a3f84cff27e37100d7295e7d5ca/client...

This means if the password is longer than 80 characters, you can't login by this means and there is no tailored error message, we are just told we put the password in wrong, the same error message that would occur if we in fact put the wrong password. However we didn't put the wrong password at all and it can be very difficult to discover the actual problem.

Logging in via the `--password=...` argument, and logging in via code both work as intended.

How to repeat:
Either:
1. Create a MySQL user that logs in via `mysql_native_password` and give it a password over 80 characters.
2. `ALTER` and existing users password to something over 80 characters.

Next time you attempt to log in via the `-p` argument, it will say the password is incorrect, despite the fact it is correct.

eg: `mysql -u user -p` (enter password on next line)

Suggested fix:
Limit the max length of a users password, this could be configurable so we can't set passwords over this limit in the first place.

If this is configurable, put a comment above the setting that warns users if a user has a password already longer than the new limit, they will lose access to the database until an admin resets it.
[17 Sep 2018 0:51] MySQL Verification Team 
Hi,

While mysql client do use only first 80 bytes of a password I doubt this can be considered a bug, more something like a lack of documentation, both as online doc and the mysql client should inform you if you try to use pass longer then 80 bytes that it does not support it. 

Thanks for your report.
Bogdan
[4 Apr 2023 12:42] MySQL Verification Team 
Bug #110570 marked as duplicate of this one.
[30 May 0:17] HANCHUN LIU 
Patch for Bug #44929, Bug #92403, and Bug #110570: fix client-side tty password length handling.

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: 0001-Bug-44929-92403-110570-Fix-tty-password-length-handl.patch (application/octet-stream, text), 5.46 KiB.
[30 May 0:19] HANCHUN LIU 
I submitted a patch for this issue in the Contributions tab.
This contribution addresses the client-side tty password input behavior discussed in Bug #44929, Bug #92403, and Bug #110570.
The change is limited to sql-common/get_password.cc and does not change server-side authentication semantics.
Manual testing was completed on both Ubuntu and Windows 11. The mysql client was built successfully and tested on both platforms.
Verified interactive password input with:
	• 79-byte password
	• 80-byte password
	• 81-byte password
	• 100-byte password
	• 128-byte password
	• 2391-byte token-style password
For each case, login was verified using:
	• mysql -u -p
	
The 2391-byte token-style password was included to validate long authentication strings such as temporary access tokens used in token-based authentication scenarios.
[30 May 0:28] HANCHUN LIU 
Could someone please review the submitted contribution when possible? I would be happy to update the patch if a different approach is preferred.
[30 May 10:42] HANCHUN LIU 
test_evidence_longpassword_length3267_ubuntu_OK

Attachment: test_evidence_longpassword_length3267_ubuntu.pdf (application/pdf, text), 249.59 KiB.