First, the strength of the password management
In version 5.7, if a user password is too simple, you may receive the following error:
GRANT REPLICATION CLIENT ON *.*TO 'username'@'%' IDENTIFIED BY ‘xxxxxxxx’;
ERROR 1819 (HY000): Your password does notsatisfy the current policy requirements
This error and validate_password_policy value of the parameter related. The default is 1: meet the length and must contain numbers, uppercase and lowercase letters, special characters.
The value |
meaning |
0 or LOW |
Length |
1 or MEDIUM |
Length; numeric, lowercase/uppercase, and special characters |
2 or STRONG |
Length; numeric, lowercase/uppercase, and special characters; dictionary file |
If you do not want the password is complex, it can be modified:
set global validate_password_policy=0;
GRANT REPLICATION CLIENT ON *.* TO 'zabbix'@'%' IDENTIFIED BY 'xxxxxxxx';
Query OK, 0 rows affected, 1 warning (0.02sec)
Change the minimum password length of 4
set global validate_password_length=4;
Query OK, 0 rows affected (0.00 sec)
View other relevant parameters
SHOW VARIABLES LIKE 'validate_password%';
Second, password expiration policy
1. Since version 5.6.6
Added password_expired feature that allows users to set password expiration.
ALTER USER 'testuser'@'localhost' PASSWORD EXPIRE;
This feature has been added to the data table mysql.user, its default value is "N", may be used to modify the ALTER USER statement.
Once a user of this option is set to "Y", then the user can still log in to the MySQL server, but can not run any query before the user has not set a new password, otherwise it will get the following error:
SHOW DATABASES;
ERROR 1820 (HY000): You must SET PASSWORD before executing this statement
Expired to lift the state: the user or administrator to reset your password
alter user mdba@localhost identified by 'Aisino123!';
flush privileges;
2. Since version 5.7.4
Global variables can default_password_lifetime to set global password expiration policy
- In version 5.7.4 - 5.7.10, default_password_lifetime default value is 360
- After 5.7.11, mysqldefault_password_lifetime default value is 0
my.cnf configuration is as follows:
[mysqld]
default_password_lifetime=90
Super privileges can be used in MySQL runtime modify this configuration:
SET GLOBAL default_password_lifetime = 90;
You can also use the ALTER USER command to set a specific value for each individual user, it will automatically override the global password expiration policy (note ALTER USER statement INTERVAL unit is the day)
-- 设置'testuser'@'localhost'用户密码30天过期
ALTER USER 'testuser'@'localhost' PASSWORD EXPIRE INTERVAL 30 DAY;
-- 设置'testuser'@'localhost'用户密码不过期
ALTER USER 'testuser'@'localhost' PASSWORD EXPIRE NEVER;
-- 设置'testuser'@'localhost'用户使用全局密码过期策略
ALTER USER 'testuser'@'localhost' PASSWORD EXPIRE DEFAULT;
Third, the user locking and unlocking
Version 5.7.8 start, add a new feature to lock / unlock users
ALTER USER 'furrywall'@'localhost' ACCOUNT LOCK;
ALTER USER 'furrywall'@'localhost' ACCOUNT UNLOCK;
-- 验证
select user,host,account_locked from mysql.user;
reference:
https://blog.csdn.net/sinat_29461437/article/details/78113250
https://www.cnblogs.com/JiangLe/p/7655165.html