ApsaraDB MyBase allows you to configure a policy that defines password strength rules for your database instance. This ensures the security of your database.

Prerequisites

Overview

If a database instance runs MySQL 5.7, you can use the validate_password plug-in to specify the following password complexity rules. The system validates the password of your database account based on the specified rules.
  • Specifies whether the password can be the same as the username.
  • The length of the password.
  • The number of letters in the password.
  • The number of digits in the password.
  • The number of special characters in the password.
  • The strength of the password.

Step 1: Install the validate_password plug-in

  1. Connect to your ApsaraDB MyBase for MySQL instance. For more information, see Use a database client or the CLI to connect to an ApsaraDB MyBase for MySQL instance.
    Note You must use the privileged account of your ApsaraDB RDS for MySQL instance to connect to the instance. For more information, see Create a database account.
  2. Execute the following statement in the SQL window to install the validate_password plug-in:
    INSTALL PLUGIN validate_password SONAME 'validate_password.so';
  3. Execute the following statement in the SQL window to check whether the validate_password plug-in is installed:
    SHOW GLOBAL VARIABLES LIKE 'validate_password%';
    If information similar to the following figure is returned, the validate_password plug-in is installed. Command output

Step 2: Configure password policy parameters

  1. Log on to the ApsaraDB MyBase console.
  2. In the upper-left corner of the page, select the region where you want to create a dedicated cluster.
  3. In the left-side navigation pane, choose Instances > MySQL.
  4. Find the instance that you want to manage and click Details in the Actions column. In the left-side navigation pane, click Parameters.
  5. Configure the loose_validate_password parameters. The following table describes these parameters.
    Note Before you configure the following parameters, make sure that the validate_password plug-in is installed based on the instructions in Step 1: Install the validate_password plug-in. Otherwise, the configuration does not take effect.
    Parameter Description
    loose_validate_password_check_user_name Specifies whether the password can be the same as the username. Valid values:
    • ON: The password can be the same as the username.
    • OFF: The password cannot be the same as the username.

    Default value: OFF.

    validate_password_policy The strength of the password. Valid values:
    • 0: The strength of the password is low. The system checks only the length of the password.
    • 1: The strength of the password is medium. The system checks the password length, digits, letters, and special characters.
    • 2: The strength of the password is strict. The system checks the password length, digits, letters, special characters, and the dictionary file.
      Note The dictionary file cannot be specified. This indicates that the value 1 and the value 2 specify the same password strength.

    Default value: 1.

    validate_password_length The length of the password. Valid values: 0 to 256.

    Default value: 8.

    validate_password_number_count The number of digits in the password. Valid values: 0 to 256.

    Default value: 1.

    validate_password_mixed_case_count The number of letters in the password. Valid values: 0 to 256.

    Default value: 1.

    validate_password_special_char_count The number of special characters in the password. Valid values: 0 to 256.

    Default value: 1.

    Note