Documentation Home
MySQL 9.5 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 41.4Mb
PDF (A4) - 41.5Mb
Man Pages (TGZ) - 272.3Kb
Man Pages (Zip) - 378.2Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb


MySQL 9.5 Reference Manual  / ...  / Security  / Security Components and Plugins  / The Password Validation Component  /  Password Validation Options and Variables

8.4.4.2 Password Validation Options and Variables

This section describes the system and status variables thatvalidate_password provides to enable its operation to be configured and monitored.

Password Validation Component System Variables

If thevalidate_password component is enabled, it exposes several system variables that enable configuration of password checking:

mysql> SHOW VARIABLES LIKE 'validate_password.%';+-------------------------------------------------+--------+| Variable_name                                   | Value  |+-------------------------------------------------+--------+| validate_password.changed_characters_percentage | 0      || validate_password.check_user_name               | ON     || validate_password.dictionary_file               |        || validate_password.length                        | 8      || validate_password.mixed_case_count              | 1      || validate_password.number_count                  | 1      || validate_password.policy                        | MEDIUM || validate_password.special_char_count            | 1      |+-------------------------------------------------+--------+

To change how passwords are checked, you can set these system variables at server startup or at runtime. The following list describes the meaning of each variable.

  • validate_password.changed_characters_percentage

    Command-Line Format--validate-password.changed-characters-percentage[=value]
    System Variablevalidate_password.changed_characters_percentage
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeInteger
    Default Value0
    Minimum Value0
    Maximum Value100

    Indicates the minimum number of characters, as a percentage of all characters, in a password that a user must change beforevalidate_password accepts a new password for the user's own account. This applies only when changing an existing password, and has no effect when setting a user account's initial password.

    This variable is not available unlessvalidate_password is installed.

    By default,validate_password.changed_characters_percentage permits all of the characters from the current password to be reused in the new password. The range of valid percentages is 0 to 100. If set to 100 percent, all of the characters from the current password are rejected, regardless of the casing. Characters 'abc' and 'ABC' are considered to be the same characters. Ifvalidate_password rejects the new password, it reports an error indicating the minimum number of characters that must differ.

    If theALTER USER statement does not provide the existing password in aREPLACE clause, this variable is not enforced. Whether theREPLACE clause is required is subject to the password verification policy as it applies to a given account. For an overview of the policy, seePassword Verification-Required Policy.

  • validate_password.check_user_name

    Command-Line Format--validate-password.check-user-name[={OFF|ON}]
    System Variablevalidate_password.check_user_name
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeBoolean
    Default ValueON

    Whethervalidate_password compares passwords to the user name part of the effective user account for the current session and rejects them if they match. This variable is unavailable unlessvalidate_password is installed.

    By default,validate_password.check_user_name is enabled. This variable controls user name matching independent of the value ofvalidate_password.policy.

    Whenvalidate_password.check_user_name is enabled, it has these effects:

    • Checking occurs in all contexts for whichvalidate_password is invoked, which includes use of statements such asALTER USER orSET PASSWORD to change the current user's password, and invocation of functions such asVALIDATE_PASSWORD_STRENGTH().

    • The user names used for comparison are taken from the values of theUSER() andCURRENT_USER() functions for the current session. An implication is that a user who has sufficient privileges to set another user's password can set the password to that user's name, and cannot set that user' password to the name of the user executing the statement. For example,'root'@'localhost' can set the password for'jeffrey'@'localhost' to'jeffrey', but cannot set the password to'root.

    • Only the user name part of theUSER() andCURRENT_USER() function values is used, not the host name part. If a user name is empty, no comparison occurs.

    • If a password is the same as the user name or its reverse, a match occurs and the password is rejected.

    • User-name matching is case-sensitive. The password and user name values are compared as binary strings on a byte-by-byte basis.

    • If a password matches the user name,VALIDATE_PASSWORD_STRENGTH() returns 0 regardless of how othervalidate_password system variables are set.

  • validate_password.dictionary_file

    Command-Line Format--validate-password.dictionary-file=file_name
    System Variablevalidate_password.dictionary_file
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeFile name

    The path name of the dictionary file thatvalidate_password uses for checking passwords. This variable is unavailable unlessvalidate_password is installed.

    By default, this variable has an empty value and dictionary checks are not performed. For dictionary checks to occur, the variable value must be nonempty. If the file is named as a relative path, it is interpreted relative to the server data directory. File contents should be lowercase, one word per line. Contents are treated as having a character set ofutf8mb3. The maximum permitted file size is 1MB.

    For the dictionary file to be used during password checking, the password policy must be set to 2 (STRONG); see the description of thevalidate_password.policy system variable. Assuming that is true, each substring of the password of length 4 up to 100 is compared to the words in the dictionary file. Any match causes the password to be rejected. Comparisons are not case-sensitive.

    ForVALIDATE_PASSWORD_STRENGTH(), the password is checked against all policies, includingSTRONG, so the strength assessment includes the dictionary check regardless of thevalidate_password.policy value.

    validate_password.dictionary_file can be set at runtime and assigning a value causes the named file to be read without a server restart.

  • validate_password.length

    Command-Line Format--validate-password.length=#
    System Variablevalidate_password.length
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeInteger
    Default Value8
    Minimum Value0

    The minimum number of characters thatvalidate_password requires passwords to have. This variable is unavailable unlessvalidate_password is installed.

    Thevalidate_password.length minimum value is a function of several other related system variables. The value cannot be set less than the value of this expression:

    validate_password.number_count+ validate_password.special_char_count+ (2 * validate_password.mixed_case_count)

    Ifvalidate_password adjusts the value ofvalidate_password.length due to the preceding constraint, it writes a message to the error log.

  • validate_password.mixed_case_count

    Command-Line Format--validate-password.mixed-case-count=#
    System Variablevalidate_password.mixed_case_count
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeInteger
    Default Value1
    Minimum Value0

    The minimum number of lowercase and uppercase characters thatvalidate_password requires passwords to have if the password policy isMEDIUM or stronger. This variable is unavailable unlessvalidate_password is installed.

    For a givenvalidate_password.mixed_case_count value, the password must have that many lowercase characters, and that many uppercase characters.

  • validate_password.number_count

    Command-Line Format--validate-password.number-count=#
    System Variablevalidate_password.number_count
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeInteger
    Default Value1
    Minimum Value0

    The minimum number of numeric (digit) characters thatvalidate_password requires passwords to have if the password policy isMEDIUM or stronger. This variable is unavailable unlessvalidate_password is installed.

  • validate_password.policy

    Command-Line Format--validate-password.policy=value
    System Variablevalidate_password.policy
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeEnumeration
    Default Value1
    Valid Values

    0

    1

    2

    The password policy enforced byvalidate_password. This variable is unavailable unlessvalidate_password is installed.

    validate_password.policy affects howvalidate_password uses its other policy-setting system variables, except for checking passwords against user names, which is controlled independently byvalidate_password.check_user_name.

    Thevalidate_password.policy value can be specified using numeric values 0, 1, 2, or the corresponding symbolic valuesLOW,MEDIUM,STRONG. The following table describes the tests performed for each policy. For the length test, the required length is the value of thevalidate_password.length system variable. Similarly, the required values for the other tests are given by othervalidate_password.xxx variables.

    PolicyTests Performed
    0 orLOWLength
    1 orMEDIUMLength; numeric, lowercase/uppercase, and special characters
    2 orSTRONGLength; numeric, lowercase/uppercase, and special characters; dictionary file

  • validate_password.special_char_count

    Command-Line Format--validate-password.special-char-count=#
    System Variablevalidate_password.special_char_count
    ScopeGlobal
    DynamicYes
    SET_VAR Hint AppliesNo
    TypeInteger
    Default Value1
    Minimum Value0

    The minimum number of nonalphanumeric characters thatvalidate_password requires passwords to have if the password policy isMEDIUM or stronger. This variable is unavailable unlessvalidate_password is installed.

Password Validation Component Status Variables

If thevalidate_password component is enabled, it exposes status variables that provide operational information:

mysql> SHOW STATUS LIKE 'validate_password.%';+-----------------------------------------------+---------------------+| Variable_name                                 | Value               |+-----------------------------------------------+---------------------+| validate_password.dictionary_file_last_parsed | 2019-10-03 08:33:49 || validate_password.dictionary_file_words_count | 1902                |+-----------------------------------------------+---------------------+

The following list describes the meaning of each status variable.

Password Validation Plugin Options
Note

In MySQL 9.5, thevalidate_password plugin was reimplemented as thevalidate_password component. Thevalidate_password plugin is deprecated; expect it to be removed in a future version of MySQL. Consequently, its options are also deprecated, and you should expect them to be removed as well. MySQL installations that use the plugin should make the transition to using the component instead. SeeSection 8.4.4.3, “Transitioning to the Password Validation Component”.

To control activation of thevalidate_password plugin, use this option:

Password Validation Plugin System Variables
Note

In MySQL 9.5, thevalidate_password plugin was reimplemented as thevalidate_password component. Thevalidate_password plugin is deprecated; expect it to be removed in a future version of MySQL. Consequently, its system variables are also deprecated and you should expect them to be removed as well. Use the corresponding system variables of thevalidate_password component instead; seePassword Validation Component System Variables. MySQL installations that use the plugin should make the transition to using the component instead. SeeSection 8.4.4.3, “Transitioning to the Password Validation Component”.

Password Validation Plugin Status Variables
Note

In MySQL 9.5, thevalidate_password plugin was reimplemented as thevalidate_password component. Thevalidate_password plugin is deprecated; expect it to be removed in a future version of MySQL. Consequently, its status variables are also deprecated; expect it to be removed. Use the corresponding status variables of thevalidate_password component; seePassword Validation Component Status Variables. MySQL installations that use the plugin should make the transition to using the component instead. SeeSection 8.4.4.3, “Transitioning to the Password Validation Component”.