Default insecure passwords seems bad

[eythian]

I think that setting a default password of 'root' is dangerous. Instead, it might be worth considering:

• aborting with an error if no password is defined
• setting a large random one if none is defined

That should reduce the risk of people ending up with an insecure setup because they were in a hurry or something. Relatedly, it could be interesting to have a little aside in the docs on how to securely create a password file for when you drop this role in as a git submodule, and so want to avoid making changes to it if possible.

[geerlingguy]

I think that setting a default password of 'root' is dangerous.

At least it's more secure than MySQL's traditional default of having no password :)

I've considered doing something like this from time to time... but it's difficult to think of a way to randomize it (where it's random on first run, then consistent on future runs), and it's also just security-through-obscurity to simply set a more secure default.

Throwing a warning if it's root, I might be amenable to, since it would be the least invasive and most reliable way of highlighting insecure passwords.

But one thing to keep in mind is that many people (myself included) end up using the defaults for things like one-off database environments where we need to build something quick, run some commands, then tear it down. I usually either use 'root' or '' (no password) for that, just because it's fast and works quickly with defaults in many of the downstream tools I use with MySQL...

[eythian]

Presumably the root password is only set if the .my.cnf exists (excluding that override option), so if a random one were generated, it would be set and written into that file the first time, and wouldn't change again?

But even a loud warning would be enough I think.

Thanks for the role btw, it's a very handy thing for me finally getting my wordpress installation ansibleised :)

[llbbl]

maybe optionally prompting for a password based on config parameter. this would not break it for people just needing an easy way to set a password and still allow for a bit more control over access to password.

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[stale]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

[colans]

@geerlingguy wrote:

I've considered doing something like this from time to time... but it's difficult to think of a way to randomize it (where it's random on first run, then consistent on future runs), and it's also just security-through-obscurity to simply set a more secure default.

Agreed on those points. The solution here is to do the following:

1. Set a random password on each run (unless there's already one there and there's no reason to change it).
2. Place the generated password in /root/.my.cnf.

But one thing to keep in mind is that many people (myself included) end up using the defaults for things like one-off database environments where we need to build something quick, run some commands, then tear it down. I usually either use 'root' or '' (no password) for that, just because it's fast and works quickly with defaults in many of the downstream tools I use with MySQL...

As proven time and time again, with routers and other IoT devices for example, setting passwords to common defaults is a terrible idea.

For this particular use case, you don't need to know what the password is. It'll be in /root/.my.cnf, which can be accessed indirectly by running sudo -H mysql. That logs you in as root, with whatever root password is in the file. It can be used in scripts, etc.

Please have a look at my Matomo role for an example of how to do this, generating a random password and then sticking it in the file. Specifically, see how I set the default password securely:

matomo_superuser_password: "{{ lookup('password', '/dev/null length=20 chars=ascii_letters') }}"

I believe that this issue should be reopened (and ideally labelled as a security issue). I can't see a "Reopen" button so I can't do this myself.

[stale]

This issue is no longer marked for closure.

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.