circle-info
Webinar | The Great Database Exodus: Navigating Strategic Risk in the Post-Oracle MySQL Era
Register Nowarrow-up-right
search
Download MariaDBContact Us

Password Validation Plugin Overview

General introduction into plugins that enforce specific security policies and complexity rules for user passwords.

Password validation means ensuring that user passwords meet certain minimal security requirements. A dedicated plugin API allows the creation of password validation plugins that will check user passwords as they are set (in SET PASSWORD and GRANT statements) and either allow or reject them.

hashtag
SQL-Level Extensions

MariaDB comes with three password validation plugins — the simple_password_check plugin, the cracklib_password_check plugin and the password_reuse_check plugin. They are not enabled by default – use INSTALL SONAME (or INSTALL PLUGIN) statement to install them.

When at least one password plugin is loaded, all new passwords will be validated and password-changing statements will fail if the password will not pass validation checks. Several password validation plugin can be loaded at the same time — in this case a password must pass all validation checks by all plugins.

hashtag
Password-Changing Statements

One can use various SQL statements to change a user password:

hashtag
With Plain Text Password

SET PASSWORD = PASSWORD('plain-text password');
SET PASSWORD FOR `user`@`host` = PASSWORD('plain-text password');
SET PASSWORD = OLD_PASSWORD('plain-text password');
SET PASSWORD FOR `user`@`host` = OLD_PASSWORD('plain-text password');
CREATE USER `user`@`host` IDENTIFIED BY 'plain-text password';
GRANT PRIVILEGES TO `user`@`host` IDENTIFIED BY 'plain-text password';

These statements are subject to password validation. If at least one password validation plugin is loaded, plain-text passwords specified in these statements will be validated.

hashtag
With Password Hash

SET PASSWORD = 'password hash';
SET PASSWORD FOR `user`@`host` = 'password hash';
CREATE USER `user`@`host` IDENTIFIED BY PASSWORD 'password hash';
CREATE USER `user`@`host` IDENTIFIED VIA mysql_native_password USING 'password hash';
CREATE USER `user`@`host` IDENTIFIED VIA mysql_old_password USING 'password hash';
GRANT PRIVILEGES TO `user`@`host` IDENTIFIED BY PASSWORD 'password hash';
GRANT PRIVILEGES TO `user`@`host` IDENTIFIED VIA mysql_native_password USING 'password hash';
GRANT PRIVILEGES TO `user`@`host` IDENTIFIED VIA mysql_old_password USING 'password hash';

These statements can not possibly use password validation — there is nothing to validate, the original plain-text password is not available.

MariaDB introduces a strict password validation mode — controlled by a strict_password_validation global server variable.

If the strict password validation is enabled and at least one password validation plugin is loaded, passwords that cannot be validated are rejected; otherwise, they're accepted. By default, a strict password validation is enabled (but note that it has no effect if no password validation plugin is loaded).

hashtag
Examples

Failed password validation:

Strict password validation:

This page is licensed: CC BY-SA / Gnu FDL

spinner
PreviousPassword Validation PluginsNextCracklib Password Check Plugin

Last updated

Was this helpful?