Password Validation with simple_password_check for MariaDB Xpand

Overview

MariaDB Xpand supports password requirement enforcement.

Compatibility

Xpand Series

First Supported Version

5.3

N/A

6

6.0.4

Password Validation

When password validation is enabled, a check is performed when setting a new password to ensure that password meets requirements. Existing passwords are not impacted by these requirements.

Enable Password Validation

To require password validation, enable it with the simple_password_check global system variable.

The simple_password_check value can be set with a SET statement as long as the user has the SUPER privilege:

SET GLOBAL simple_password_check = true;

Note that the password-related variables don't have a separate session value in addition to the global value, so changing a global password variable causes the new value to be applied to all sessions.

Configure Password Requirements

Password requirements are configured using system variables. Password requirements are only validated if simple_password_check = true is set.

Each of the following global variables can be set to an integer value from 0 to 1000:

Global variable set to integer "n"

New password must contain

simple_password_check_digits

at least "n" digit characters (0-9)

simple_password_check_letters_same_case

at least "n" lowercase letters and "n" uppercase letters

simple_password_check_minimal_length

at least "n" characters in total length

simple_password_check_other_characters

at least "n" non-digit, non-alpha characters

Note that the password-related variables don't have a separate session value in addition to the global value, so changing a global password variable causes the new value to be applied to all sessions.

Prevent Hashing

When password validation has been enabled by setting the simple_password_check variable to true, password restrictions can be further enforced with the strict_password_validation which, when set to true disallows passwords from being set with hashes.

When a password is set by hash, the password's character makeup is not visible to the server, so the server cannot enforce requirements.

The strict_password_validation value can be set with a SET statement:

SET GLOBAL strict_password_validation = true;

Note that the password-related variables don't have a separate session value in addition to the global value, so changing a global password variable causes the new value to be applied to all sessions.