The author of this article details the improvements in password management in MySQL 8.0.34 version.
Author: Sri Sakthivel
Source of this article: Percona official blog
- Produced by the Axon Open Source Community.
MySQL 8.0.34 brings us new password authentication parameters validate_password.changed_characters_percentage. Using this feature, we can control validate_passwordthe minimum number of characters in a password that a user must change before a new password for their account is accepted. In this article, some scenarios are provided showing validate_password.changed_characters_percentagehow parameters affect user password changes.
Require
In order to achieve this, we should enable "Password Authentication Policy" (introduced in MySQL 8.0.13). We can allow it globally by using the parameter password_require_currentor specifying when creating or changing a user . Brain Sumpter has explained this topic well in PASSWORD REQUIRE CURRENThis article MySQL 8: Password Authentication Strategies . I recommend you read it to learn more about Password Validation Policy. In my case, I just enabled the parameter password_require_currentto enforce the "Password Authentication Policy" globally.
percona labs MySQL 8.0.34 > set persist password_require_current = 1;
Query OK, 0 rows affected (0.05 sec)
percona labs MySQL 8.0.34 > select @@password_require_current;
+-----------------------------------+
| @@password_require_current |
+-----------------------------------+
| 1 |
+-----------------------------------+
1 row in set (0.00 sec)Once we enable password_require_correntthe option, we should provide the old password in the REPLACE clause. Otherwise, it will not allow password changes. You will receive the following error:
percona labs MySQL 8.0.34 > alter user 'test'@'localhost' identified by 'Test@321';
ERROR 3892 (HY000): Current password needs to be specified in the REPLACE clause in order to change it.Note: Users
mysqlwith global CREATE USER and UPDATE permissions on the system database can still change passwords without specifying the current password.
Create a test environment
MySQL version 8.0.34 was installed in the test server and validate_passwordthe components were installed.
percona labs MySQL 8.0.34 > select @@version, @@version_comment;
+-------------+--------------------------------------+
| @@version | @@version_comment |
+-------------+--------------------------------------+
| 8.0.34 | MySQL Community Server - GPL |
+-------------+--------------------------------------+
1 row in set (0.00 sec)
percona labs MySQL 8.0.34 > INSTALL COMPONENT 'file://component_validate_password';
Query OK, 0 rows affected (0.00 sec)
percona labs MySQL 8.0.34 > select @@validate_password.changed_characters_percentage;
+----------------------------------------------------------------+
| @@validate_password.changed_characters_percentage |
+----------------------------------------------------------------+
| 0 |
+----------------------------------------------------------------+
1 row in set (0.00 sec)I recommend installing validate_password components instead of validate_password plugins (deprecated). You may not see this feature when installing it as a plugin.
test
The value has been changed_characters_percentageset to 50. This means that whenever a user attempts to reset their password, the new password should not contain any 50% of the old characters.
percona labs MySQL 8.0.34 > set global validate_password.changed_characters_percentage=50;
Query OK, 0 rows affected (0.00 sec)
percona labs MySQL 8.0.34 > select @@validate_password.changed_characters_percentage;
+----------------------------------------------------------------+
| @@validate_password.changed_characters_percentage |
+----------------------------------------------------------------+
| 50 |
+----------------------------------------------------------------+
1 row in set (0.00 sec)Then I created the user percona1with password Percona@321.
percona labs MySQL 8.0.34 > create user 'percona1'@'localhost' identified by 'Percona@321';
Query OK, 0 rows affected (0.00 sec)
percona labs MySQL 8.0.34 > grant select on *.* to 'percona1'@'localhost';
Query OK, 0 rows affected (0.00 sec)
percona labs MySQL 8.0.34 > flush privileges;
Query OK, 0 rows affected (0.01 sec)Now, let us try to change the password to Percona@567.
percona labs MySQL 8.0.34 > select user();
+--------------------+
| user() |
+--------------------+
| percona1@localhost |
+--------------------+
1 row in set (0.00 sec)
percona labs MySQL 8.0.34 > alter user percona1@localhost identified by 'Percona@567' replace 'Percona@321';
ERROR 4165 (HY000): The new password must have at least '5' characters that are different from the old password. It has only '3' character(s) different. For this comparison, uppercase letters and lowercase letters are considered to be equal.It won't let me Percona@321change my password from to Percona@567and the error explains the situation very clearly. My password was 11 characters long, and my new password is only three characters different ( Percona@321to Percona@567). According to my changed_characters_percentagevalue, the new password should contain 50% new characters. This means my new password should contain at least five different characters. Therefore, the new password does not meet the requirements.
Now, let's try another new password Percona %#567. It has five different characters than the previous password.
percona labs MySQL 8.0.34 > alter user percona1@localhost identified by 'Percona%#567' replace 'Percona@321';
Query OK, 0 rows affected (0.01 sec)As long as the requirements are met, it will work!
How does it handle uppercase and lowercase letters?
To explain this situation, I created another user percona2with password PERCONa@321.
percona labs MySQL 8.0.34 > create user 'percona2'@'localhost' identified by 'PERCONa@321';
Query OK, 0 rows affected (0.00 sec)The password is 11 characters long. Therefore, we must change at least five characters in the new password. I will PERCONa@321update my password from to perconA@321. In this example, I'm going to change seven characters in uppercase and lowercase.
percona labs MySQL 8.0.34 > alter user percona2@localhost identified by 'perconA@321' replace 'PERCONa@321';
ERROR 4165 (HY000): The new password must have at least '5' characters that are different from the old password. It has only '0' character(s) different. For this comparison, uppercase letters and lowercase letters are considered to be equal.Not working. It cannot be changed because uppercase and lowercase letters are considered the same.
How to deal with different character counts?
To test this scenario, I created a user percona3with a password of Percona@321. We can test the following scenarios.
- More existing roles
- More non-existent characters
More existing roles
To test this, I Percona@321changed my password from to Percona@3213333333. (Simply add seven "3" characters to your existing password).
percona labs MySQL 8.0.34 > select user();
+--------------------+
| user() |
+--------------------+
| percona3@localhost |
+--------------------+
1 row in set (0.00 sec)
percona labs MySQL 8.0.34 > alter user percona3@localhost identified by 'Percona@3213333333' replace 'Percona@321';
ERROR 4165 (HY000): The new password must have at least '5' characters that are different from the old password. It has only '0' character(s) different. For this comparison, uppercase letters and lowercase letters are considered to be equal.The error reports "0" character differences because we added seven new characters to the password. However, character (3) is already present in the password Percona@3213333333. In this case, this is unacceptable.
More non-existent characters
To test this, I now Percona@321change the password from to Percona@3214455667788. So in this example, I'm going to add ten new characters to an existing password. However, I have five characters (4,5,6,7,8) that don't exist.
percona labs MySQL 8.0.34 > alter user percona3@localhost identified by 'Percona@3214455667788' replace 'Percona@321';
Query OK, 0 rows affected (0.01 sec)it works!
So, from the two examples above, the password length may vary. However, it should satisfy the percentage of changed characters.
in conclusion
MySQL 8 has a lot of security improvements and new implementations, and I would say this feature is very nice to improve password validation and add more security when changing user passwords.
Original link: https://www.percona.com/blog/mysql-8-0-34-improved-password-management-by-defining-the-change-characters-count/
For more technical articles, please visit: https://opensource.actionsky.com/
About SQLE
SQLE from the Axon open source community is a SQL audit tool for database users and managers that supports multi-scenario audits, standardized online processes, native support for MySQL audits and scalable database types.
SQLE get
| type | address |
|---|---|
| Repository | https://github.com/actiontech/sqle |
| document | https://actiontech.github.io/sqle-docs/ |
| release news | https://github.com/actiontech/sqle/releases |
| Data audit plug-in development documentation | https://actiontech.github.io/sqle-docs/docs/dev-manual/plugins/howtouse |