Bug #17357535 BACKPORT BUG#16241992 TO 5.5

Problem: COM_CHANGE_USER allows brute-force attempts to crack a password at a very high rate as it does not cause any significant delay after a login attempt has failed. This issue was reproduced using John-The-Ripper password cracking tool through which about 5000 passwords per second could be attempted. Solution: The non-GA version's solution was to disconnect the connection when a login attempt failed. Now since our aim to to reduce the rate at which passwords are tested, we introduced a sleep(1) after every login attempt failed. This significantly increased the delay with which the password was cracked.
2013-10-18 17:14:39 +05:30 · 2013-10-18 17:14:39 +05:30 · 37502cfaae
commit 37502cfaae
parent 6f43d3cab7
1 changed files with 1 additions and 0 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -971,6 +971,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
      thd->variables.collation_connection= save_collation_connection;
      thd->variables.character_set_results= save_character_set_results;
      thd->update_charset();
+      sleep(1);
    }
    else
    {