validate_password plugin serves to test
passwords and improve security. The plugin exposes a set of system
variables that enable you to define a password policy.
The plugin implements two capabilities:
In statements that assign a password supplied as a cleartext value, the plugin checks the password against the current password policy and rejects it if it is weak. This affects the
SET PASSWORDstatements. Passwords given as arguments to the
OLD_PASSWORD()functions are checked as well.
VALIDATE_PASSWORD_STRENGTH()SQL function assesses the strength of potential passwords. The function takes a password argument and returns an integer from 0 (weak) to 100 (strong).
validate_password plugin provides three
levels of password checking:
MEDIUM; controlled by the
configuration option. The policies implement increasingly strict
LOWpolicy tests password length only. Passwords must be at least 8 characters long.
MEDIUMpolicy adds the conditions that passwords must contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character.
STRONGpolicy adds the condition that password substrings of length 4 or longer must not match words in the dictionary file, if one has been specified.
In addition, the
validate_password plugin can
reject passwords that match the user name part of the effective
user account for the current session, either forward or in
reverse. To enable this capability, you must enable the
To install and configure the password validation plugin:
Add these options under the
[mysqld]option group in the MySQL configuration file (
plugin-load-add=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_policy=MEDIUM validate_password_check_user_name=1
validate_password.soplugin library each time the server is started.
Prevents the server from running without the password-validation plugin, and server startup fails if the plugin does not initialize successfully.
Specifies that passwords must be at least 8 characters long, contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character.
MEDIUMis the default setting.
Rejects passwords that match the user name part of the effective user account for the current session, either forward or in reverse.
shell> systemctl restart mysqld
shell> cd /usr/local/mysql shell> bin/mysqladmin -u root -p version Enter password: (enter root password here)
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+
To verify that the password validation plugin works, attempt to create a user with a non-compliant password:
mysql> CREATE USER 'bob.smith'@'localhost' IDENTIFIED BY 'abc'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
For more information about the password validation plugin, see The Password Validation Plugin.