Database Reference
In-Depth Information
Solution
Use the
validate_password
plug-in to implement a password policy. New passwords
must satisfy the policy, whether those chosen by the DBA for new accounts or by existing
users changing their password.
Discussion
This technique requires the
validate_password
plug-in to be enabled. For plug-in
installation instructions, see
Recipe 22.2
.
When
validate_password
is enabled, it exposes a set of system variables that enable
you to configure it. These are the default values:
mysql>
SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
Suppose that you want to implement a policy that enforces these requirements for pass‐
words:
• At least 10 characters long
• Contains uppercase and lowercase characters
• Contains at least two digits
• Contains at least one special (nonalphanumeric) character
To put that policy in place, start the server with options that enable the plug-in and set
the values of the system variables that configure the policy requirements. For example,
put these lines in your server option file:
[mysqld]
plugin-load-add=validate_password.so
validate_password_length=10
validate_password_mixed_case_count=1
validate_password_number_count=2
validate_password_special_char_count=1
After starting the server, verify the settings:
