User has no password set

Question

I see these when running MySQLTuner.pl:

-------- Security Recommendations  -------------------------------------------
[!!] User '@debian' has no password set.
[!!] User '@localhost' has no password set.
------------------------------------------------------------------------------

• Is it a security hole?
• How to fix it?

Thanks

Answer 1

That is definite a security hole. That's because mysql was installed that way.

To remove those entries, please run these lines

DELETE FROM mysql.user WHERE user='' or password='';
FLUSH PRIVILEGES;

Here are three(3) past posts I wrote on how and why to do such cleanup of mysql.user and mysql.db

• Secure method beside phpMyAdmin for remote mysql
• MySQL error: Access denied for user 'a'@'localhost' (using password: YES)
• MySQL : Why are there "test" entries in mysql.db?