Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 1.0Mb
PDF (A4) - 1.0Mb
HTML Download (TGZ) - 233.6Kb
HTML Download (Zip) - 241.1Kb


Security in MySQL  /  Security Plugins  /  The Password Validation Plugin

6.3 The Password Validation Plugin

The validate_password plugin serves to test passwords and improve security. The plugin exposes a set of system variables that enable you to define password policy.

The validate_password plugin implements these capabilities:

  • In SQL statements that assign a password supplied as a cleartext value, the plugin checks the password against the current password policy and rejects the password if it is weak (the statement returns an ER_NOT_VALID_PASSWORD error). This applies to the CREATE USER, GRANT, and SET PASSWORD statements, and passwords given as arguments to the PASSWORD() and OLD_PASSWORD() functions.

  • The VALIDATE_PASSWORD_STRENGTH() SQL function assesses the strength of potential passwords. The function takes a password argument and returns an integer from 0 (weak) to 100 (strong).

For example, validate_password checks the cleartext password in the following statement. Under the default password policy, which requires passwords to be at least 8 characters long, the password is weak and the statement produces an error:

mysql> SET PASSWORD = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current
policy requirements

Passwords specified as hashed values are not checked because the original password value is not available for checking:

mysql> SET PASSWORD = '*0D3CED9BEC10A777AEC23CCC353A8C08A633045E';
Query OK, 0 rows affected (0.01 sec)

To configure password checking, modify the system variables having names of the form validate_password_xxx; these are the parameters that control password policy. See Section 6.3.2, “Password Validation Plugin Options and Variables”.

If validate_password is not installed, the validate_password_xxx system variables are not available, passwords in statements are not checked, and the VALIDATE_PASSWORD_STRENGTH() function always returns 0. For example, without the plugin installed, accounts can be assigned passwords shorter than 8 characters.

Assuming that validate_password is installed, it implements three levels of password checking: LOW, MEDIUM, and STRONG. The default is MEDIUM; to change this, modify the value of validate_password_policy. The policies implement increasingly strict password tests. The following descriptions refer to default parameter values, which can be modified by changing the appropriate system variables.