Skip to content

Ensure Passwords Are Set for All MySQL Accounts


Blank passwords allow a user to login without using a password.


A blank password will allow someone who knows the username and the list of allowed hosts to bypass any authentication mechanism.

A potential attacker will be able to connect to the server and assume the identity of a user, resulting in sensitive data exposure or compromising data integrity.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { getServerSetting, isEmpty, isEmptyArray } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if STRICT_ALL_TABLES is present in sql_mode list
function validate(databaseSettings) {
  const settingName = "sql_mode"
  const expectedValue = "no_auto_create_user"
  const currentValue = getServerSetting(databaseSettings, settingName)

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {
    // look for users with empty passwords
    const blankPwdUsers = databaseSettings.users.filter(user => user.mysql && 
                                                        user.mysql.usersTableSnapshot &&

    success = isEmptyArray(blankPwdUsers)

  return {

// invoke