cracklib_password_check

CrackLib is a password strength checking library. It is installed by default in many Linux distributions and is invoked automatically (by pam_cracklib.so) whenever the user login password is modified. Now, with the cracklib_password_check password validation plugin, one can also use it to check MariaDB account passwords.

The plugin is not enabled by default. To enable it, run:

INSTALL SONAME 'cracklib_password_check';

Versions

Variables

There is one configuration option for this plugin:

cracklib_password_check_dictionary

• Description: Sets the path to the CrackLib dictionary. If not set, the default CrackLib dictionary path is used (often /usr/lib/cracklib_dict).
• Commandline: --cracklib-password-check-dictionary=value
• Scope: Global
• Dynamic: No
• Data Type: string
• Default Value: Depends on the system. Often /usr/lib/cracklib_dict
• Introduced: MariaDB 10.1.2

If the password validation fails, the original CrackLib error message can be visible in a warning (use SHOW WARNINGS).

Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).

Example

When creating a new password, if the criteria are not met, the following error is returned:

SET PASSWORD FOR 'bob'@'%.loc.gov' = PASSWORD('abc');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

Known issues

The cracklib plugin is incompatible with the PAM authentication plugin. As PAM user passwords are not stored into the database, it will be impossible to create new users with PAM authentication.

See also

• Password Validation
• simple_password_check plugin - permits the setting of basic criteria for passwords