validate_password plugin can be used to
test passwords and improve security. This plugin implements two
In statements that assign a password supplied as a cleartext value, the value is checked against the current password policy and rejected if it is weak (the statement returns an
ER_NOT_VALID_PASSWORDerror). This affects the
SET PASSWORDstatements. Passwords given as arguments to the
OLD_PASSWORD()functions are checked as well.
The strength of potential passwords can be assessed using the
VALIDATE_PASSWORD_STRENGTH()SQL function, which takes a password argument and returns an integer from 0 (weak) to 100 (strong).
For example, the cleartext password in the following statement is checked. Under the default password policy, which requires passwords to be at least 8 characters long, the password is weak and the statement produces an error:
ALTER USER USER() IDENTIFIED BY 'abc';ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
Passwords specified as already hashed values are not checked because the original password value is not available:
ALTER USER 'jeffrey'@'localhost'->
IDENTIFIED WITH mysql_native_password->
AS '*0D3CED9BEC10A777AEC23CCC353A8C08A633045E';Query OK, 0 rows affected (0.01 sec)
The parameters that control password checking are available as the
values of the system variables having names of the form
These variables can be modified to configure password checking;
see Section 7.2.2, “Password Validation Plugin Options and Variables”.
The three levels of password checking are
MEDIUM; to change this, modify the
policies implement increasingly strict password tests. The
following descriptions refer to default parameter values; these
can be modified by changing the appropriate system variables.
LOWpolicy tests password length only. Passwords must be at least 8 characters long.
MEDIUMpolicy adds the conditions that passwords must contain at least 1 numeric character, 1 lowercase and uppercase character, and 1 special (nonalphanumeric) character.
STRONGpolicy adds the condition that password substrings of length 4 or longer must not match words in the dictionary file, if one has been specified.
validate_password plugin is not
system variables are not available, passwords in statements are
not checked, and
returns 0. For example, accounts can be assigned passwords shorter
than 8 characters.