This topic describes how to configure custom password policies for an ApsaraDB RDS for MySQL instance. Custom password policies can be used to ensure the security of your RDS instance.

Prerequisites

Background information

If your RDS instance runs MySQL 5.7, you can use the validate_password plug-in to configure the policies that are used to check the complexity of the password for each account. The plug-in supports the following password policies:

  • Whether the password can be the same as the username
  • The length of the password
  • The number of uppercase letters and lowercase letters in the password
  • The number of digits in the password
  • The number of special characters in the password
  • The strength of the password

Step 1: Install the validate_password plug-in

  1. Connect to your RDS instance. For more information, see Connect to an ApsaraDB RDS for MySQL instance.
    Note You must use the privileged account of your RDS instance to connect to your RDS instance. For more information, see Create a privileged account.
  2. Execute the following statement in the SQL window to install the validate_password plug-in:
    INSTALL PLUGIN validate_password SONAME 'validate_password.so';
  3. Execute the following statement in the SQL window to verify that the validate_password plug-in is installed:
    SHOW GLOBAL VARIABLES LIKE 'validate_password%';
    If information similar to the following figure is returned, the validate_password plug-in is installed. Return result
    Note You can configure custom password policies only when your RDS instance runs MySQL 5.7 on RDS Basic or High-availability Edition. If your RDS instance runs another database engine version or RDS edition, you can install the validate_password plug-in, but you cannot use the plug-in to configure custom password policies.

Step 2: Configure custom password policies

  1. Go to the Parameters page.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Parameters.
  2. Configure the parameters whose names are prefixed by loose_validate_password. For more information, see Reconfigure the parameters of an ApsaraDB RDS for MySQL instance.
    Note Before you configure the parameters, you must install the validate_password plug-in. If the plug-in is not installed, the new parameter settings do not take effect. For more information, see Step 1: Install the validate_password plug-in.
    Parameter Description
    loose_validate_password_check_user_name Whether the password can be the same as the username. Valid values:
    • ON: The password can be the same as the username.
    • OFF: The password cannot be the same as the username.

    Default value: OFF.

    validate_password_policy The strength of the password. Valid values:
    • 0: The strength of the password is low. ApsaraDB RDS checks only the length of the password.
    • 1: The strength of the password is medium. ApsaraDB RDS checks the length of the password. In addition, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.
    • 2: The strength of the password is high. ApsaraDB RDS checks the length and dictionary file of the password. In addition, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.
      Note The dictionary file is not required at the time. This indicates that the same password strength is specified by the value 1 and the value 2.

    Default value: 1.

    validate_password_length The length of the password. Valid values: 0 to 256.

    Default value: 8.

    validate_password_number_count The number of digits in the password. Valid values: 0 to 256.

    Default value: 1.

    validate_password_mixed_case_count The number of uppercase letters and lowercase letters in the password. Valid values: 0 to 256.

    Default value: 1.

    validate_password_special_char_count The number of special characters in the password. Valid values: 0 to 256.

    Default value: 1.

    Note For more information, see the official MySQL documentation.