Taking a cursory glance you can find a lot of articles on — exposed MySQL / Postgres servers being infected when they run with weak / default passwords. Exposing your db servers beyond the private network is the problem, kudos for trying to support people, but trying to secure open dbs on the net will always be a cat & mouse game.

That was my point, yes. And my strange suggestion about having an additional server-generated secret was an attempt to secure even servers with weak passwords.