Why is it bad to have a weak mysql user password?

Whoever was making this argument seems to be saying "Once someone has their foot in the door, you might as well give them complete access". By that logic, a firewall negates the need for all passwords on your internal network.

Strong passwords are one step towards limiting the damage done by network intrusion. There's no reason to throw your hands up in defeat just because one small part of your network was compromised.


It really goes back to the idea of 'Defense in Depth' so at least a strong password could slow them down so that you can discover and block them. I like the analogy of having a single key for a gated community vs. a key on the door of every house.


It depends a lot on how your MySQL server is setup. If it only accepts requests off of the home (127.0.0.1) ip, that does make it moderately more secure.

Given a scenario where you allow remote IPs it becomes a much bigger deal.

In addition to that, it's always good to have strong security in case of intrusion - better that they walk away with as little as possible.


Is there a lock on the Petty Cash box in Accounting? If so, why? Doesn't the building have physical security?


you don't need a strong mysql user password because in order to use it, they'd already have access to your server

This isn't true, because mysql can also be used in cross-network client-server enviroment, and by default the only thing you need is user/pass to gain access to the database (offcourse, with 3306 port opened and server publicly visible).