Improving MySQL Password Security with Validation Plugin

MySQL Password Security PluginIn systems nowadays, improving security is a must! One of the weakest links in the security system is the user password from where an attacker can enter. In order to improve password strength and security, MySQL provides a plugin called “Validation plugin” which can be configured to enforce a set of rules for passwords.

 

Installation

The plugin can be enabled by executing the following at runtime:

Or by adding the plugin in the configuration file, but this requires bouncing MySQL for it to take effect:

It’s also suggested to add the following variable in my.cnf so that the plugin cannot be removed at runtime (also requires a MySQL bounce to take effect):

Checking Installation

You can check if the plugin is installed by either checking plugins:

Or by checking if the following variables are enabled in MySQL:

 

Usage

A short summary of the variables that affect the password is:

Validate_password_policy: Determines password strength policy which can be LOW, MEDIUM, or STRONG. Depending on which policy is set, some variables might be ignored.

PolicyVariables checked
0 or LOWLength
1 or MEDIUMLength; numeric, lowercase/uppercase, and special characters
2 or STRONGLength; numeric, lowercase/uppercase, and special characters; dictionary file

Validate_password_length: Minimum number of characters

Validate_password_mixed_case_count: Minimum number of upper and lower case characters

Validate_password_number_count: Minimum number of numeric characters

Validate_password_special_char_count: Minimum number of non-alpha-numeric characters

Validate_password_check_user_name: If enabled, prevents a user from setting a password equal to its username or the reverse of it

Validate_password_dictionary_file: Path for dictionary file with a maximum size of 1 MB containing one word per line. Any password with a substring that matches any of the words from the dictionary cannot be used, the check is case insensitive, and the minimum length of the dictionary is 4 letters per word. After modifying the dictionary file, “SET GLOBAL Validate_password_dictionary_file = ‘path_to_dictionary’;” must be executed again for the dictionary to be reloaded.

Note: After increasing passwords policies, current passwords are not automatically expired and might potentially not fit in the new policy. A password expiration method should be used to force users to set a new password after a fixed number of days or when password policies have changed.

 

Examples

Trying to set the following passwords result in an error:

Password is only accepted if having at least 8 characters, including 1 special character, 1 numeric, 1 lower and 1 uppercase like the following:

If setting:

And having the following dictionary file (remember a minimum of 4 letter words)

The following passwords that include case insensitive string “man1” are not accepted:

But the following password is accepted since it complies with all the requirements:

 

Use cases

Each company will have different password requirements depending on their needs and policies, but for some businesses and companies there are already standard in place, such as:

  • PCI/DSS (Payment Card Industry Data Security Standards) which has various policies regarding security, but regarding passwords the requirements are:
    • Require a minimum length of at least seven characters.
    • Contain both numeric and alphabetic characters.

Which can be implemented by setting the following:

Note: The above settings might seem weak as per nowadays standards, but the above settings are minimum to comply with PCI DSS and stronger policies can be used. Also, PCI/DSS has other requirements (which cannot be tackled down by validation plugin) such as password expiration policies, lockdown after 6 failed attempts, and more, and does not rely solely on password strength.

  • NIST (National Institute of Technology) password minimum requirements only consists of a minimum length of 8 (or 6 for activation passwords) which can be implemented:

NIST encourages to use more complex passwords, including special characters and dictionaries containing previously breached passwords, dictionary words, repetitive strings and common patterns such as “aaaa” or “1234” which can be fulfilled with the following config:

Having a dictionary file with prohibited words. Since the maximum dictionary size is 1 MB, the number of words and patterns that can exist in the dictionary might be limited to the required implementation of policy, although other measures such as password locking after many failures should also be implemented to comply with NIST.

OWASP (Open Web Application Security Project) has the following minimal requirements:

  • At least 1 uppercase character (A-Z)
  • At least 1 lowercase character (a-z)
  • At least 1 digit (0-9)
  • At least 1 special character including punctuation marks & spaces
  • Be at least 10 characters long.
  • Do not have more than 2 identical characters in a row (‘aaa’, ‘bbb’, etc..)

Compliance with the following configuration:

And having populated the dictionary with all possible combinations of consecutive characters.

Conclusion

The validation plugin can greatly help in enforcing passwords policies for increased system security and can be set up in a fast and easy way, but there should also be other security mechanisms to complement validation plugin such as:

password expiration

add delay to successive login retries

– limit user attempts and lock account (connection control plugin + lock account)

secure password transmission

password reuse policy

Share this post

Comments (2)

  • trangtriqc Reply

    Do I need to install anything before activating this plugin in my system?

    June 26, 2020 at 1:07 pm
  • Carlos Tutte Reply

    Hi trangtriqc! No, you do not need to activate anything prior activating the plugin. Plugin files must be in mysql’s plugin folder (which are by default)

    June 29, 2020 at 10:29 am

Leave a Reply