From 37502cfaae7c39646802008473bcbee96328a8ac Mon Sep 17 00:00:00 2001
From: Anirudh Mangipudi <anirudh.mangipudi@oracle.com>
Date: Fri, 18 Oct 2013 17:14:39 +0530
Subject: [PATCH] Bug #17357535 BACKPORT BUG#16241992 TO 5.5 Problem:
 COM_CHANGE_USER allows brute-force attempts to crack a password at a very
 high rate as it does not cause any significant delay after a login attempt
 has failed. This issue was reproduced using John-The-Ripper password cracking
 tool through which about 5000 passwords per second could be attempted.

Solution:
The non-GA version's solution was to disconnect the connection when a login
attempt failed. Now since our aim to to reduce the rate at which passwords
are tested, we introduced a sleep(1) after every login attempt failed. This
significantly increased the delay with which the password was cracked.
---
 sql/sql_parse.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index f787fe4058f..6e2b422bd44 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -971,6 +971,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
       thd->variables.collation_connection= save_collation_connection;
       thd->variables.character_set_results= save_character_set_results;
       thd->update_charset();
+      sleep(1);
     }
     else
     {