Add warning for default user/password usage

[madhuracj]

As suggested by Emanuel Bronshtein,

Don’t use the controluser ‘pma’ if it does not yet exist and don’t use ‘pmapass’ as password.
consider testing if pma:pmapass is used, and warn about it?

[ibennetch]

For this one, my opinion is that we can permit logging in but should show a warning on the main page, similar to the way we warn the user if blowfish_secret is too short.

I'm undecided on whether we should have a configuration directive to bypass this test; I tend to think that's just adding clutter to the already-too-long list of configuration directives, but on the other hand my testing server actually has username pma and password pmapass and I don't want to be warned. I suppose I could just change the password... ;-)

[williamdes]

Is it normal that the following warning disappeared somewhere between 4.5.1 and 4.7.7 and in newer versions ?
I know this is maybe not the right place to post this message ...

You are connected as 'root' with no password, which corresponds to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole by setting a password for user 'root'.

[aroralakshya]

@williamdes, that is exactly what I've been thinking, maybe we can add the warning for pma:pmapass in a similar way.

[ibennetch]

@williamdes That was removed starting in version 4.6.0, because of #11708. With the introduction of $cfg['Servers'][$i]['AllowNoPassword'] , it was decided that since the user had to intentionally allow no password logins, they therefore didn't need to be warned.

[ibennetch]

@nulll-pointer Sounds good to me.

[ibennetch]

Implemented with #14443, so this will become a part of version 5.0