Bug #17357535 BACKPORT BUG#16241992 TO 5.5

Problem: COM_CHANGE_USER allows brute-force attempts to crack a password at a very high rate as it does not cause any significant delay after a login attempt has failed. This issue was reproduced using John-The-Ripper password cracking tool through which about 5000 passwords per second could be attempted. Solution: The non-GA version's solution was to disconnect the connection when a login attempt failed. Now since our aim to to reduce the rate at which passwords are tested, we introduced a sleep(1) after every login attempt failed. This significantly increased the delay with which the password was cracked.

Bug #17357535 BACKPORT BUG#16241992 TO 5.5
Problem: COM_CHANGE_USER allows brute-force attempts to crack a password at a very high rate as it does not cause any significant delay after a login attempt has failed. This issue was reproduced using John-The-Ripper password cracking tool through which about 5000 passwords per second could be attempted. Solution: The non-GA version's solution was to disconnect the connection when a login attempt failed. Now since our aim to to reduce the rate at which passwords are tested, we introduced a sleep(1) after every login attempt failed. This significantly increased the delay with which the password was cracked.
18079ac9 · Anirudh Mangipudi · 6fd6b38c · 18079ac9
Commit 18079ac9 authored Oct 18, 2013 by Anirudh Mangipudi
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

sql/sql_parse.cc sql/sql_parse.cc +1 -0

No files found.
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -971,6 +971,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
      thd->variables.collation_connection= save_collation_connection;
      thd->variables.character_set_results= save_character_set_results;
      thd->update_charset();
+      sleep(1);
    }
    else
    {