Creating a password policy by enforcing strong, complex passwords for user accounts is an essential step to improve database security. While enforcing a password policy can seem restrictive, it is crucial to securing your database and protecting sensitive data.
MySQL and MariaDB have built-in plugins that provide an easy way to establish and enforce password policies.
The table below briefly describes the different plugins:
| Plugin name | Description | Server |
| validate_password | Enforces a password policy. When enabled, validate_password_policy sets requirements for password length and complexity. | MySQL |
| password_reuse_check | Prevents a user from reusing a password. When enabled, password_reuse_check_interval can be set to establish the retention period for the password history in days. | MariaDB |
| simple_password_check | When enabled, passwords need at least eight characters and require at least one digit, one uppercase character, one lowercase character, and one character that is neither a digit nor a letter. Can set system variables to enforce more password complexity. | MariaDB |
| cracklib_password_check | Check its strength against a system dictionary and a set of rules for identifying poor choices. | MariaDB |
Installing and Configuring Plugin
The first step is to check if the plugin is included with your installation. No matter if you have MySQL or MariaDB server installed, you can find the plugin directory using this command:
MariaDB> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| plugin_dir | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
$ cd /usr/lib/mysql/plugin/ && lsInstalling and loading the plugin is different, depending on your database server.
MySQL
Installation of the validate_password plugin requires restarting the MySQL Server.
1. Installation:
To install the plugin, these options must be added to the configuration file (my.cnf or my.ini), and MySQL must be restarted.
[mysqld]
plugin-load-add=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_policy=MEDIUM2. Configuration:
validate-password: prevents the server from running without the plugin, and server startup fails if the plugin does not initialize successfully.
Options:
- ON
- OFF
- FORCE
- FORCE_PLUS_PERMANENT – prevents it from being removed while the server is running.
validate_password_policy: easiest way to set password policy. By enabling validate_password_policy, the plugin will use policy-setting system variables per the set option requirements.
Options:
- 0 – enforces password length requirement set by validate_password_length.
- 1 – enforces length requirement and requires lowercase, uppercase, and special characters.
- 2 – enforces value one requirement and checks the dictionary file specified by validate-password-dictionary-file.
validate_password_length: sets the minimum password length required (default is eight characters). This variable needs to be set if validate_password_policy is enabled.
validate-password-dictionary-file: the absolute path for the dictionary file. This variable is ignored unless validate_password_policy is set to 2. For more information, see MySQL Reference Manual.
MariaDB
1. Installation:
To install the plugin, load it into MariaDB with the following SQL command:
MariaDB> INSTALL SONAME 'plugin_name';It is also good to edit the my.cnf (or my.ini for Windows) file to ensure the plugin is loaded after a reboot.
[mariadb]
plugin_load_add = server_audit2. Configuration:
For the password_reuse_check plugin:
password_reuse_check_interval: sets the number of days a password cannot be reused.
For the simple_password_check plugin:
simple_password_check_digits: enforces the minimum number of digits in a password.
simple_password_check_letters_same_case: enforces the minimum number of lowercase letters which will be the same as the uppercase letter requirement.
simple_password_check_minimal_length: sets the password length minimum.
simple_password_check_other_characters: sets the minimum requirement for special characters in a password.
For the cracklib_password_check plugin:
cracklib_password_check: prevents the server from running without the plugin, and server startup fails if the plugin does not initialize successfully.
Options:
- ON
- OFF
- FORCE
- FORCE_PLUS_PERMANENT – prevents it from being removed while the server is running.
cracklib_password_check_dictionary: the absolute path for the dictionary file. For more information, see MariaDB Server Documentation.
Conclusion
Setting password requirements is an important step to securing your database. MySQL and MariaDB servers have plugins that make enforcing them easy. For more information on best practices, the National Institute of Standards and Technology (NIST) creates guidelines for the tech industry. Additionally, XTIVIA can assess your database for security vulnerabilities.
For more information, please contact us.