MDEV-3915 COM_CHANGE_USER allows fast password brute-forcing

allow only three failed change_user per connection.
successful change_user do NOT reset the counter

tests/mysql_client_test.c:
  make --error to work for --change_user errors

sql/sql_class.h

@@ -1865,6 +1865,7 @@ public:
   bool	     no_errors, password;
   bool       extra_port;                        /* If extra connection */
 
+  uint8      failed_com_change_user;
   /**
     Set to TRUE if execution of the current compound statement
     can not continue. In particular, disables activation of