Database Reference
In-Depth Information
mysql>
SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_dictionary_file | |
| validate_password_length | 10 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 2 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
Now the
validate_password
plug-in prevents assigning passwords too weak for the
policy:
mysql>
SET PASSWORD = PASSWORD('weak-password');
ERROR 1819 (HY000): Your password does not satisfy the current
policy requirements
mysql>
SET PASSWORD = PASSWORD('Str0ng-Pa33w@rd');
Query OK, 0 rows affected (0.00 sec)
The preceding instructions leave the
validate_password_policy
system variable set
to its default value (
MEDIUM
), but you can change it to control how the server tests pass‐
words:
•
MEDIUM
enables tests for password length and the number of numeric, uppercase/
lowercase, and special characters.
• To be less rigorous, set the policy to
LOW
, which enables only the length test. To also
permit shorter passwords, decrease the required length (
validate_pass
word_length
).
• To be more rigorous, set the policy to
STRONG
, which is like
MEDIUM
but also enables
you to have passwords checked against a dictionary file, to prevent use of passwords
that match any word in the file. Comparisons are not case sensitive.
To use a dictionary file, set the value of
validate_password_dictionary_file
to
the filename at server startup. The file should contain lowercase words, one per
line. MySQL distributions include a
dictionary.txt
file in the
share
directory that
you can use, and Unix systems often have a
/usr/share/dict/words
file.
Putting a password policy in place has no effect on existing passwords. To require users
to choose a new password that satisfies the policy, expire their current password (see
Recipe 23.5
).
