ApsaraDB for MyBase allows you to configure a policy that defines password strength rules for your database instance. This ensures the security of your database.

Prerequisites

Considerations

When you create or change a password in the ApsaraDB RDS console, the following initial password policy takes precedence over the custom password policy:
  • The password must be 8 to 32 characters in length.
  • The password of the account must contain at least three of the following character types: letters, digits, and special characters.
  • The special characters include exclamation points (!),@#$%^&*()_+-=

Feature description

If a database instance runs MySQL 5.7, you can use the validate_password plug-in to specify the following password complexity rules. The system validates the password of your database account based on the specified rules.
  • A rule that specifies whether the password and the username can be the same
  • The length of the password
  • The number of letters in the password
  • The number of digits in the password
  • The number of special characters in the password
  • The level of password strength validation

Step 1: Install the validate_password plug-in

  1. Connect to an ApsaraDB RDS for MySQL instance.
    Note You must use a privileged account to connect to a MyBase for MySQL instance. For more information, see Create a privileged account.
  2. In the SQL window, execute the following statement to install the validate_password plug-in:
    INSTALL PLUGIN validate_password SONAME 'validate_password.so';
  3. In the SQL window, execute the following statement to verify that the plug-in is installed:
    SHOW GLOBAL VARIABLES LIKE 'validate_password%';
    The following figure shows an example of the return result. This output indicates that the plug-in is installed. Output

Step 2: Configure password policy parameters

  1. Log on to the ApsaraDB for MyBase console.
  2. In the upper-left corner of the page, select the region where you want to deploy the dedicated cluster.
  3. In the left-side navigation pane, click Instances. On the page that appears, find the instance that you want to manage, and modify the configuration of the instance.
    • To modify the configuration of a MyBase for MySQL instance or a MyBase for PostgreSQL instance, click More in the Actions column. Then, select Change Specifications from the drop-down list.
    • To modify the configuration of a MyBase for SQL Server instance, click Change Specifications in the Actions column.
  4. Find the instance for which you want to configure password policy parameters and click the instance ID. On the instance details page, click Parameters in the left-side navigation pane.
  5. Configure the loose_validate_password parameters. The following table describes these parameters.
    Note Before you configure the following parameters, ensure that the validate_password plug-in is installed as described in Step 1: Install the validate_password plug-in. Otherwise, the configuration does not take effect.
    Parameter Description
    loose_validate_password_check_user_name Specifies whether the password and the username can be the same. Valid values:
    • ON: The password and the username can be the same.
    • OFF: The password and the username must be different.

    Default value: OFF.

    validate_password_policy The level of password strength validation. Valid values:
    • 0: loose. The system checks only the password length.
    • 1: medium. The system checks the password length, digits, letters, and special characters.
    • 2: strict. The system checks the password length, numbers, letters, special characters, and the dictionary file.
      Note The dictionary file cannot be specified. Therefore, the system checks the same items regardless of whether you set this parameter to 1 or 2.

    Default value: 1.

    validate_password_length The length of the password. Valid values: 0 to 256.

    Default value: 8.

    validate_password_number_count The number of digits in the password. Valid values: 0 to 256.

    Default value: 1.

    validate_password_mixed_case_count The number of letters in the password. Valid values: 0 to 256.

    Default value: 1.

    validate_password_special_char_count The number of special characters in the password. Valid values: 0 to 256.

    Default value: 1.

    Note