All Products
Search
Document Center

ApsaraDB RDS:Configure a custom password policy

Last Updated:Mar 08, 2024

This topic describes how to configure a custom password policy for an ApsaraDB RDS for MySQL instance. You can use custom password policies to ensure the security of your RDS instance.

Prerequisites

  • Your RDS instance runs one of the following database engine versions and RDS editions:

    • MySQL 5.7 on RDS Basic Edition

    • MySQL 5.7 on RDS High-availability Edition

    • MySQL 5.7 on RDS Cluster Edition

    • MySQL 8.0 on RDS Cluster Edition

  • The minor engine version of your RDS instance is updated to the latest version. For more information, see Update the minor engine version.

Usage notes

When you configure or modify a custom password policy in the ApsaraDB RDS console, the custom password policy cannot take precedence over the following default password policy:

  • The password must be 8 to 32 characters in length.

  • The password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

  • The password can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =

Feature description

If your RDS instance runs MySQL 8.0 on RDS Cluster Edition or MySQL 5.7, you can use the validate_password extension to modifies the rules that are used to check password complexity. You must specify the following password complexity rules in a custom password policy:

  • Whether the password can be the same as the username

  • The length of the password

  • The number of uppercase letters and lowercase letters in the password

  • The number of digits in the password

  • The number of special characters in the password

  • The strength of the password

Step 1: Install validate_password

  1. Connect to your RDS instance. For more information, see Connect to an ApsaraDB RDS for MySQL instance.

    Note

    You must use the privileged account of your RDS instance to connect to your RDS instance. For more information, see Create a privileged account.

  2. Execute the following statement in the SQL window to install validate_password:

    INSTALL PLUGIN validate_password SONAME 'validate_password.so';
  3. Execute the following statement in the SQL window to check whether validate_password is installed:

    SHOW GLOBAL VARIABLES LIKE 'validate_password%';

    If information similar to the following figure is returned, validate_password is installed.θΏ”ε›žη»“ζžœ

    Note

    You can configure custom password policies only when your RDS instance runs MySQL 8.0 on RDS Cluster Edition or MySQL 5.7. If your RDS instance runs a different database engine version or a different RDS edition, you can install validate_password, but you cannot configure custom password policies.

Step 2: Configure a custom password policy

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane of the page that appears, click Parameters.

  3. Configure the parameters whose names are prefixed by loose_validate_password. For more information, see Modify instance parameters.

    Note

    Before you modify the parameters, you must install validate_password. If validate_password is not installed, the new parameter settings do not take effect. For more information, see Step 1: Install validate_password.

    Parameter

    Description

    loose_validate_password_check_user_name

    Specifies whether the password can be the same as the username. Valid values:

    • ON: The password can be the same as the username.

    • OFF: The password cannot be the same as the username.

    Default value: ON.

    loose_validate_password_policy

    The strength of the password. Valid values:

    • 0: The strength of the password is low. ApsaraDB RDS checks only the length of the password.

    • 1: The strength of the password is medium. In addition to the length of the password, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.

    • 2: The strength of the password is high. ApsaraDB RDS checks the length and dictionary file of the password. In addition, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.

      Note

      The dictionary file cannot be specified. This indicates that values 1 and 2 specify the same password strength.

    Default value: 1.

    loose_validate_password_length

    The length of the password. Valid values: 0 to 256.

    Default value: 8.

    Note

    The default password policy that is applied in the ApsaraDB RDS console requires a password length of at least eight characters. The length of each password must be greater than or equal to eight characters even if you set this parameter to 5 in the ApsaraDB RDS console. However, you can execute the SET PASSWORD statement to change the password length to 5 characters.

    loose_validate_password_number_count

    The number of digits in the password. Valid values: 0 to 256.

    Default value: 1.

    loose_validate_password_mixed_case_count

    The number of uppercase letters and lowercase letters in the password. Valid values: 0 to 256.

    Default value: 1.

    loose_validate_password_special_char_count

    The number of special characters in the password. Valid values: 0 to 256.

    Default value: 1.

    Note

    For more information, see open source MySQL documentation.