7.4 Ensure Passwords are Set for All MySQL Accounts

Information

Blank passwords allow a user to login without using a password.

Rationale:

Without a password only knowing the username and the list of allowed hosts will allow someone to connect to the server and assume the identity of the user. This, in effect, bypasses authentication mechanisms.

Solution

For each row returned from the audit procedure, reset the password for the given user using the following statement (as an example):

ALTER USER
<user>@<host> IDENTIFIED BY RANDOM PASSWORD PASSWORD EXPIRE;

This resets the password temporarily to a RANDOM string and returns that temporary password as a result.

The user can then use this temporary password to login and is forced to set the password to one of their choosing upon login.

Note: Replace <user>, <host> with appropriate values.

See Also

https://workbench.cisecurity.org/files/3844

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: MySQLDB

Control ID: 7c664e1ed1acee244ad92d10ae1b150250587061070c40f2a97c710f750a64bd