Closed totten closed 6 years ago
Hmm, it's technically allowed but not secure by any means. Perhaps we should add a system check to give a warning if mysql is configured without a pwd?
Ah, yeah, it is more secure to have a password (at least, from a defense-in-depth perspective of erecting as many walls as you can; it's not necessarily exploitable if everything else is configured just-so). I'd be a very soft 👍 on including that as system-check/warning.
In this context, perhaps a middle ground would be to use addWarning()
instead of addError()
to complain about blank passwords.
That sounds good.
There are MySQL configurations (esp some development environments) where one is allowed to connecto the DB without specifying a password.