colemanw
commented
6 years ago Hmm, it's technically allowed but not secure by any means. Perhaps we should add a system check to give a warning if mysql is configured without a pwd?
Closed totten closed 6 years ago
colemanw
commented
6 years ago Hmm, it's technically allowed but not secure by any means. Perhaps we should add a system check to give a warning if mysql is configured without a pwd?
totten
commented
6 years ago Ah, yeah, it is more secure to have a password (at least, from a defense-in-depth perspective of erecting as many walls as you can; it's not necessarily exploitable if everything else is configured just-so). I'd be a very soft 👍 on including that as system-check/warning.
In this context, perhaps a middle ground would be to use addWarning() instead of addError() to complain about blank passwords.
colemanw
commented
6 years ago That sounds good.
There are MySQL configurations (esp some development environments) where one is allowed to connecto the DB without specifying a password.