Foreword:
At the end of the year, is it time for your database to be inspected? General inspections will care about password security issues, such as password complexity settings, whether there are regular changes, etc. In particular, when conducting iso-guarantee evaluations, evaluation agencies will require password security policies. In fact, the MySQL system itself can set the password complexity and automatic expiration strategy, which may be relatively seldom used, and most students did not understand it in detail. In this article, let's learn how to set the database account password complexity and automatic expiration strategy.
1. Password complexity policy setting
The MySQL system comes with the validate_password plug-in, which can verify the password strength, and passwords that do not reach the specified strength are not allowed to be set. MySQL 5.7 and 8.0 don't seem to enable the plug-in by default, which also allows us to set the password at will, such as 123, 123456, etc. If we want to regulate the password strength from the root cause, we can enable this plugin. Let’s take a look at how to set the password complexity policy through this plugin.
1) Check if this plugin has been installed
Enter the MySQL command line, and you can judge whether the plugin has been installed by showing plugins or viewing the relevant parameters of validate_password. If there is no relevant parameter, it means this plugin is not installed
# 安装前检查 为空则说明未安装此插件
mysql> show variables like 'validate%';
Empty set (0.00 sec)2) Install the validate_password plugin
# 通过 INSTALL PLUGIN 命令可安装此插件
# 每个平台的文件名后缀都不同 对于 Unix 和类 Unix 系统,为.so,对于 Windows 为.dll
mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Query OK, 0 rows affected, 1 warning (0.28 sec)
# 查看 validate_password 相关参数
mysql> show variables like 'validate%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | ON |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
7 rows in set (0.00 sec)3) Explanation of parameters related to password strength
After installing the validate_password plug-in, there are more parameters related to password strength. These parameters are also easy to understand from the literal meaning. The next few key parameters are briefly explained below.
1.
The password policy represented by validate_password_policy , the default is MEDIUM. The configurable values are as follows:
0 or LOW only needs to meet the password length (specified by the parameter validate_password_length)
1 or MEDIUM meets the LOW policy, and at least one number must be satisfied. Lowercase letters, uppercase letters and special characters
2 or STRONG meet the MEDIUM policy, and the password cannot be stored in a dictionary file2. Validate_password_dictionary_file is
used to configure the dictionary file for passwords. When validate_password_policy is set to STRONG, the password dictionary file can be configured, and the passwords in the dictionary file must not be used.3. Validate_password_length is
used to set the minimum length of the password, the default value is 84. Validate_password_mixed_case_count
When validate_password_policy is set to MEDIUM or STRONG, the number of lowercase and uppercase letters in the password at least at the same time, the default is 1 and the minimum is 0; the default is to have at least one lowercase and one uppercase letter.5. Validate_password_number_count
When validate_password_policy is set to MEDIUM or STRONG, the minimum number of digits in the password, the default is 1 and the minimum is 06. Validate_password_special_char_count
When validate_password_policy is set to MEDIUM or STRONG, the minimum number of special characters in the password, the default is 1 and the minimum is 0
4) Specific settings of password complexity policy
After learning the above parameters, we can set the password complexity strategy according to our own situation. For example, if I want the password to be at least 10 digits and contain uppercase and lowercase letters, numbers, and special characters, you can set it like this.
# 设置密码长度至少10位
mysql> set global validate_password_length = 10;
Query OK, 0 rows affected (0.00 sec)
mysql> show variables like 'validate%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | ON |
| validate_password_dictionary_file | |
| validate_password_length | 10 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
7 rows in set (0.00 sec)
# 若想永久生效,建议将以下参数写入配置文件
[mysqld]
plugin-load = validate_password.so
validate_password_length = 10
validate_password_policy = 1
validate-password = FORCE_PLUS_PERMANENT5) Test password complexity
The password complexity policy is only effective for operations after it takes effect. For example, if you have an account before and the password is 123, the account can still be used, but if you change the password again, you need to meet the complexity policy. Let's test the specific effects of the password complexity strategy.
# 新建用户设置密码
mysql> create user 'testuser'@'%' identified by '123';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> create user 'testuser'@'%' identified by 'ab123';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> create user 'testuser'@'%' identified by 'Ab@123';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> create user 'testuser'@'%' identified by 'Bsdf@5467672';
Query OK, 0 rows affected (0.01 sec)
# 更改密码
mysql> alter user 'testuser'@'%' identified by 'dfgf3435';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> alter user 'testuser'@'%' identified by 'dBsdf@5467672';
Query OK, 0 rows affected (0.01 sec)2. Set the password to expire automatically
In addition to setting the password complexity policy, we can also set the password to expire automatically. For example, the password will expire every 90 days and the password must be changed before we can continue to use it, so that our database account is more secure. Let's take a look at how to set the password to expire automatically.
Set an account password expiration time separately
Use the ALTER USER statement to expire a single account password, and you can also change the account expiration time.
# 通过 mysql.user 系统表查看数据库账号状态
mysql> select user,host,password_expired,password_lifetime,password_last_changed,account_locked from mysql.user;
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
| user | host | password_expired | password_lifetime | password_last_changed | account_locked |
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
| expuser | % | N | NULL | 2021-01-05 14:30:30 | N |
| root | % | N | NULL | 2020-10-30 14:45:43 | N |
| testuser | % | N | NULL | 2021-01-04 17:22:37 | N |
| mysql.infoschema | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| mysql.session | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| mysql.sys | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| root | localhost | N | NULL | 2020-10-30 14:38:55 | N |
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
7 rows in set (0.01 sec)
# 使 expuser 账号密码立即过期
mysql> ALTER USER 'expuser'@'%' PASSWORD EXPIRE;
Query OK, 0 rows affected (0.00 sec)
mysql> select user,host,password_expired,password_lifetime,password_last_changed,account_locked from mysql.user;
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
| user | host | password_expired | password_lifetime | password_last_changed | account_locked |
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
| expuser | % | Y | NULL | 2021-01-05 14:30:30 | N |
| root | % | N | NULL | 2020-10-30 14:45:43 | N |
| testuser | % | N | NULL | 2021-01-04 17:22:37 | N |
| mysql.infoschema | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| mysql.session | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| mysql.sys | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| root | localhost | N | NULL | 2020-10-30 14:38:55 | N |
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
7 rows in set (0.00 sec)
# 修改账号密码永不过期
mysql> ALTER USER 'expuser'@'%' PASSWORD EXPIRE NEVER;
Query OK, 0 rows affected (0.01 sec)
# 单独设置该账号密码90天过期
mysql> ALTER USER 'expuser'@'%' PASSWORD EXPIRE INTERVAL 90 DAY;
Query OK, 0 rows affected (0.00 sec)
mysql> select user,host,password_expired,password_lifetime,password_last_changed,account_locked from mysql.user;
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
| user | host | password_expired | password_lifetime | password_last_changed | account_locked |
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
| expuser | % | N | 90 | 2021-01-05 14:41:28 | N |
| root | % | N | NULL | 2020-10-30 14:45:43 | N |
| testuser | % | N | NULL | 2021-01-04 17:22:37 | N |
| mysql.infoschema | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| mysql.session | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| mysql.sys | localhost | N | NULL | 2020-10-30 14:37:09 | Y |
| root | localhost | N | NULL | 2020-10-30 14:38:55 | N |
+------------------+-----------+------------------+-------------------+-----------------------+----------------+
7 rows in set (0.00 sec)
# 让此账号使用默认的密码过期全局策略
mysql> ALTER USER 'expuser'@'%' PASSWORD EXPIRE DEFAULT;
Query OK, 0 rows affected (0.01 sec)The mysql.user system table records the relevant information of each account. When the password_expired field value is Y, it means that the password has expired. You can still log in with the expired password, but you cannot perform any operations. The operation will prompt: ERROR 1820 (HY000 ): You must reset your password using ALTER USER statement before executing this statement. The password must be changed before normal operation can be performed.
For an account with a given expiration time, for example, set a 90-day expiration, the database system will compare the time difference between the current time and the last password modification. If it is more than 90 days since the last password modification, the account password will be marked as expired , You must change the password before you can operate.
Set global expiration policy
To build a global password automatic expiration policy, use the default_password_lifetime system variable. Before version 5.7.11, the default default_password_lifetime value was 360 (the password must be changed approximately once a year), and the default value for later versions is 0, which means that the password will not expire. The unit of this parameter is days. For example, we can set this parameter to 90, which means that the global password automatic expiration policy is 90 days.
# 设置全局过期策略 先手动更改再加入配置文件
mysql> SET GLOBAL default_password_lifetime = 90;
Query OK, 0 rows affected (0.01 sec)
mysql> show variables like 'default_password_lifetime';
+---------------------------+-------+
| Variable_name | Value |
+---------------------------+-------+
| default_password_lifetime | 90 |
+---------------------------+-------+
1 row in set (0.00 sec)
# 写入配置文件使得重启生效
[mysqld]
default_password_lifetime = 90Although it is possible to "reset" the expired password by setting it to its current value, for good policy considerations, it is better to choose another password.
to sum up:
This article mainly introduces two security policies about database passwords, password complexity plus password expiration policy, one more policy, one more peace of mind. Remember: safety is no small matter.