To control the activation of the
validate_password plugin, use this option:
| Introduced | 5.6.6 | ||
| Command-Line Format | --validate-password[=value] | ||
| Permitted Values | Type | enumeration | |
| Default | ON | ||
| Valid Values | ON | ||
OFF | |||
FORCE | |||
FORCE_PLUS_PERMANENT | |||
This option controls how the server loads the
validate_password plugin at startup. The
value should be one of those available for plugin-loading
options, as described in
Section 5.5.2, “Installing and Uninstalling Plugins”. For example,
--validate-password=FORCE_PLUS_PERMANENT
tells the server to load the plugin at startup and prevents
it from being removed while the server is running.
This option is available only if the
validate_password plugin has been
previously registered with INSTALL
PLUGIN or is loaded with
--plugin-load. See
Section 6.5.3.1, “Password Validation Plugin Installation”.
If the validate_password plugin is enabled,
it exposes several system variables representing the parameters
that control password checking:
mysql> SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
To change how passwords are checked, you can set these system variables at server startup or at runtime. The following list describes the meaning of each variable.
validate_password_dictionary_file
| Introduced | 5.6.6 | ||
| System Variable (<= 5.6.25) | Name | validate_password_dictionary_file | |
| Variable Scope | Global | ||
| Dynamic Variable | No | ||
| System Variable | Name | validate_password_dictionary_file | |
| Variable Scope | Global | ||
| Dynamic Variable | No | ||
| System Variable (>= 5.6.26) | Name | validate_password_dictionary_file | |
| Variable Scope | Global | ||
| Dynamic Variable | Yes | ||
| Permitted Values | Type | file name | |
The path name of the dictionary file used by the
validate_password plugin for checking
passwords. This variable is unavailable unless that plugin
is installed.
By default, this variable has an empty value and dictionary
checks are not performed. To enable dictionary checks, you
must set this variable to a nonempty value. If the file is
named as a relative path, it is interpreted relative to the
server data directory. Its contents should be lowercase, one
word per line. Contents are treated as having a character
set of utf8. The maximum permitted file
size is 1MB.
For the dictionary file to be used during password checking,
the password policy must be set to 2
(STRONG); see the description of the
validate_password_policy
system variable. Assuming that is true, each substring of
the password of length 4 up to 100 is compared to the words
in the dictionary file. Any match causes the password to be
rejected. Comparisons are not case sensitive.
For
VALIDATE_PASSWORD_STRENGTH()
the password is checked against all policies, including
STRONG, so the strength assessment
includes the dictionary check regardless of the
validate_password_policy
value.
Before MySQL 5.6.26, changes to the dictionary file while
the server is running require a restart for the server to
recognize the changes. As of MySQL 5.6.26,
validate_password_dictionary_file
can be set at runtime and assigning a value causes the named
file to be read without a restart.
| Introduced | 5.6.6 | ||
| System Variable | Name | validate_password_length | |
| Variable Scope | Global | ||
| Dynamic Variable | Yes | ||
| Permitted Values | Type | integer | |
| Default | 8 | ||
| Min Value | 0 | ||
The minimum number of characters that passwords checked by
the validate_password plugin must have.
This variable is unavailable unless that plugin is
installed.
The
validate_password_length
minimum value is a function of several other related system
variables. As of MySQL 5.6.10, the server will not set the
value less than the value of this expression:
validate_password_number_count + validate_password_special_char_count + (2 * validate_password_mixed_case_count)
If the validate_password plugin adjusts
the value of
validate_password_length
due to the preceding constraint, it writes a message to the
error log.
validate_password_mixed_case_count
| Introduced | 5.6.6 | ||
| System Variable | Name | validate_password_mixed_case_count | |
| Variable Scope | Global | ||
| Dynamic Variable | Yes | ||
| Permitted Values | Type | integer | |
| Default | 1 | ||
| Min Value | 0 | ||
The minimum number of lowercase and uppercase characters
that passwords checked by the
validate_password plugin must have if the
password policy is MEDIUM or stronger.
For a given value, the password must have that many
lowercase characters, and that many uppercase characters.
This variable is unavailable unless that plugin is
installed.
validate_password_number_count
| Introduced | 5.6.6 | ||
| System Variable | Name | validate_password_number_count | |
| Variable Scope | Global | ||
| Dynamic Variable | Yes | ||
| Permitted Values | Type | integer | |
| Default | 1 | ||
| Min Value | 0 | ||
The minimum number of numeric (digit) characters that
passwords checked by the
validate_password plugin must have if the
password policy is MEDIUM or stronger.
This variable is unavailable unless that plugin is
installed.
| Introduced | 5.6.6 | ||
| System Variable | Name | validate_password_policy | |
| Variable Scope | Global | ||
| Dynamic Variable | Yes | ||
| Permitted Values | Type | enumeration | |
| Default | 1 | ||
| Valid Values | 0 | ||
1 | |||
2 | |||
The password policy enforced by the
validate_password plugin. This variable
is unavailable unless that plugin is installed.
The
validate_password_policy
value can be specified using numeric values 0, 1, 2, or the
corresponding symbolic values LOW,
MEDIUM, STRONG. The
following table describes the tests performed for each
policy. For the length test, the required length is the
value of the
validate_password_length
system variable. Similarly, the required values for the
other tests are given by other
validate_password_
variables.
xxx
| Policy | Tests Performed |
|---|---|
0 or LOW | Length |
1 or MEDIUM | Length; numeric, lowercase/uppercase, and special characters |
2 or STRONG | Length; numeric, lowercase/uppercase, and special characters; dictionary file |
Before MySQL 5.6.10,
validate_password_policy was named
validate_password_policy_number.
validate_password_special_char_count
| Introduced | 5.6.6 | ||
| System Variable | Name | validate_password_special_char_count | |
| Variable Scope | Global | ||
| Dynamic Variable | Yes | ||
| Permitted Values | Type | integer | |
| Default | 1 | ||
| Min Value | 0 | ||
The minimum number of nonalphanumeric characters that
passwords checked by the
validate_password plugin must have if the
password policy is MEDIUM or stronger.
This variable is unavailable unless that plugin is
installed.
If the validate_password plugin is enabled,
it exposes status variables that provide operational
information:
mysql> SHOW STATUS LIKE 'validate_password%';
+-----------------------------------------------+---------------------+
| Variable_name | Value |
+-----------------------------------------------+---------------------+
| validate_password_dictionary_file_last_parsed | 2015-06-29 11:08:51 |
| validate_password_dictionary_file_words_count | 1902 |
+-----------------------------------------------+---------------------+
The following list describes the meaning of each status variable.
validate_password_dictionary_file_last_parsed
When the dictionary file was last parsed.
This variable was added in MySQL 5.6.26.
validate_password_dictionary_file_words_count
The number of words read from the dictionary file.
This variable was added in MySQL 5.6.26.