Custom password policies for RDS for MySQL - ApsaraDB RDS

RDS for MySQL lets you use the validate_password plugin to create custom password policies. This feature enhances database access security by allowing you to modify password complexity rules, such as password length and password strength.

Function introduction

The validate_password plugin for RDS for MySQL provides fine-grained control over the complexity requirements for database account passwords:

Whether the password can be the same as the database username
Minimum password length
Minimum number of uppercase and lowercase letters
Minimum number of digits
Minimum number of special characters
Password strength check policy

Prerequisites

The RDS for MySQL instance runs MySQL 5.7 or 8.0.

Important

The validate_password plugin installed on the primary node is not automatically synchronized to the secondary node
For instances with a primary/secondary architecture (High-availability Edition or Cluster Edition), you must install the validate_password plugin on the primary and secondary nodes separately. You can perform a manual primary/secondary failover to log on to the secondary node and install the plugin. If you install the plugin only on the primary node, the plugin will not be available on the new primary node (the original secondary node) after a failover. This invalidates the password policy.
Note
After the plugin is installed, password policy parameters configured in the RDS console are automatically synchronized to the secondary node. You do not need to set them again.
Core parameter limits and system handling
The length value must be greater than or equal to number_count + (2 × mixed_case_count) + special_char_count. If a value does not meet this requirement, RDS automatically adjusts the length value to be equal to the result of the formula.
RDS mandatory rules
Regardless of the custom policy settings, when you create or modify a password in the RDS console or by calling an API operation (CreateAccount or ResetAccountPassword), the password must always meet the following requirements:
- Be 8 to 32 characters in length.
- Contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (!@#$%^&*()_+-=).
Bypassing the 8-character minimum length limit (not recommended)
You cannot bypass the mandatory check in the RDS console by adjusting the parameter value. Even if you set the minimum password length to 5, you must still enter at least 8 characters when you create or modify a password.
To set a password that has fewer than 8 characters, you can use the SET PASSWORD command to bypass the mandatory check in the RDS console and directly set a 5-character password. This method is suitable only for test environments or special scenarios. Do not use it in a production environment.

Pricing

The custom password policy feature is free of charge.

Step 1: Install the `validate_password` plugin

Use a privileged account to connect to the MySQL instance.
Run the following SQL command to install the validate_password plugin.
```
INSTALL PLUGIN validate_password SONAME 'validate_password.so';
```
Run the following SQL command to verify that the plugin is installed.
```
SHOW GLOBAL VARIABLES LIKE 'validate_password%';
```
If a result similar to the following is returned, the plugin is installed.

Step 2: Modify password policy parameters

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, click Parameters.

Follow the instructions in Set instance parameters to search for and modify the loose_validate_password series of parameters.

Note

Before you modify the parameters, ensure that you have installed the validate_password plugin. Otherwise, the modified parameters will not take effect.
Before you modify the parameters, ensure that you are aware of the core parameter limits described in the Important section. For more information about password policies, see the official MySQL documentation.

Parameter	Supported database versions	Description	Configuration example (MySQL 5.7)
loose_validate_password_check_user_name	5.7	Specifies whether the password can be the same as the username. Valid values: ON (default): Allowed. OFF: Not allowed.	OFF: The password cannot be the same as the username.
loose_validate_password_policy	8.0/5.7	The password strength check level. Valid values: 0: Checks only the password length. 1 (default): Checks the password length, digits, uppercase and lowercase letters, and special characters. 2: Checks the password length, digits, uppercase and lowercase letters, special characters, and the dictionary file. Note Because you cannot specify a dictionary file, level 2 is the same as level 1.	1: Checks the password length, digits, uppercase and lowercase letters, and special characters.
loose_validate_password_length	8.0/5.7	The minimum password length. MySQL 5.7: The value can be from 0 to 256. The default value is 8. MySQL 8.0: The value can be from 1 to 12. The default value is 8.	10: The minimum password length is 10 characters (meets the requirement: 10 >= 2 + (2 × 2) + 1 = 7).
loose_validate_password_number_count	5.7	The required number of digits in the password. The value can be from 0 to 256. The default value is 1.	2: The password must contain at least 2 digits.
loose_validate_password_mixed_case_count	5.7	The required number of uppercase and lowercase letters in the password. The value can be from 0 to 256. The default value is 1.	2: The password must contain at least one uppercase letter and one lowercase letter (a total of 2 mixed-case letters).
loose_validate_password_special_char_count	5.7	The required number of special characters in the password. The value can be from 0 to 256. The default value is 1.	1: The password must contain at least 1 special character.

References

You can set the password for a database account in the RDS console (Create an account or Reset the password of an account) or by calling an API operation (CreateAccount or ResetAccountPassword).
For information about how to restrict the permissions of a database account, see Modify the permissions of an account, Grant an account the permissions to access a database from a specified IP address, and Grant an account the permissions to access only specified tables, views, or fields.