Enhanced Password Management Systems in MySQL 8: Part 1
source link: https://www.percona.com/blog/enhanced-password-management-systems-in-mysql-8-part-1/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
MySQL 8 comes with a lot of good features, and recently I explored its password management systems. I wanted to put together a series of blogs about it, and this is the first part. In this post, I am going to explain the following topics in detail.
- Password Reuse Policy
- Random Password Generation
Password Reuse Policy
MySQL has implemented restrictions on reusing passwords. Restriction can be established in two ways:
- Number of password changes
- Time elapsed
Number of Password Changes
From the MySQL documents:
If an account is restricted on the basis of number of password changes, a new password cannot be chosen from a specified number of the most recent passwords.
To test this, in my local environment I have created the user with “number of password changes = 2”.
Here “password history 2” will define the number of password changes. MySQL will track the password changes on the table “mysql.password_history”.
Now, I am going to change the password for the account “herc@localhost”.
It worked. After changing the password, I verified the “mysql.password_history” table. Now, the table has the track of the last two passwords.
Now, I am going to change the password for the account “herc@localhost” again. This time, I am going to assign the same password which was assigned during the user creation “Percona@321”.
It doesn’t work; I am not able to reuse the first password. Because as per my reuse policy, I can’t reuse the last two passwords and they are being tracked in the “mysql.password_policy” table. So, in my case, if I want to reuse my first password again, then it cannot be in that list.
So I assigned a different password. Now, my first password is removed from the list of the last two passwords) and I tried to assign the first password.
This is working now. This is the way you can restrict the reuse of the passwords based on the number of password changes.
This can be implemented globally and during the startup for all the users using the variable “password_history”.
Password Reuse Policy Based on Time Elapsed
From the MySQL document:
If an account is restricted based on time elapsed, a new password cannot be chosen from passwords in the history that are newer than a specified number of days.
To test this in my local environment, I have created the user “sri@localhost” with a password reuse interval of five days.
So, this means for five days, I can’t reuse the password for the account “sri@localhost”.
Now, I am going to do the ALTER to change the password.
It is working. But, if I am going to reuse any of those passwords, based on the reuse policy, it will not be allowed for five days. Let me try with the first password now.
It gives the error as expected. This restriction can be implemented globally and during startup for all the users using the variable “password_reuse_interval”.
Random Password Generation
From MySQL 8.0.18, MySQL has the capability of creating random passwords for user accounts. This means we don’t need to assign the passwords and MySQL will take care of it. It has the support for the following statements:
- CREATE USER
- ALTER USER
- SET PASSWORD
We need to use the “RANDOM PASSWORD” instead of providing the password text, and the password will be displayed on the screen during the creation.
For example:
The password hashes will be stored in the “mysql.user” table.
By default, the password length is 20 characters based on the variable “generated_random_password_length”. We can define the password length using that variable. and the allowed length is 5 to 255.
The random passwords will not mind the “validate_password” policy if the component is implemented in MySQL.
Hopefully, this blog will be helpful for you to learn about the password reuse policy and random passwords in MySQL 8. There are a few more features to go over, which will be covered in the next part of the blog series. Stay tuned!
Percona Distribution for MySQL is the most complete, stable, scalable, and secure, open-source MySQL solution available, delivering enterprise-grade database environments for your most critical business applications… and it’s free to use!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK