This topic describes how to configure a custom password policy for an ApsaraDB RDS for MySQL instance. You can use custom password policies to ensure the security of your RDS instance.

Prerequisites

  • Your RDS instance runs one of the following database engine versions and RDS editions:
    • MySQL 5.7 on RDS Basic Edition
    • MySQL 5.7 on RDS High-availability Edition
    • MySQL 5.7 on RDS Cluster Edition
    • MySQL 8.0 on RDS Cluster Edition
  • The minor engine version of your RDS instance is updated to the latest version. For more information, see Update the minor engine version of an ApsaraDB RDS for MySQL instance.

Precautions

When you configure or modify a custom password policy in the ApsaraDB RDS console, the custom password policy cannot take precedence over the following default password policy:
  • The password must be 8 to 32 characters in length.
  • A password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.
  • The password can contain the following special characters: ! @ # $ % ^ & * () _ + - =

Introduction

If your RDS instance runs MySQL 5.7, you can use the validate_password plug-in to configure a custom password policy that is used to check password complexity. A custom password policy contains the following password complexity rules:

  • Whether the password can be the same as the username
  • The length of the password
  • The number of uppercase letters and lowercase letters in the password
  • The number of digits in the password
  • The number of special characters in the password
  • The strength of the password

Step 1: Install the validate_password plug-in

  1. Connect to your RDS instance. For more information, see Connect to an ApsaraDB RDS for MySQL instance.
    Note You must use the privileged account of your RDS instance to connect to your RDS instance. For more information, see Create a privileged account.
  2. Execute the following statement in the SQL window to install the validate_password plug-in: 
    INSTALL PLUGIN validate_password SONAME 'validate_password.so';
  3. Execute the following statement in the SQL window to check whether the validate_password plug-in is installed: 
    SHOW GLOBAL VARIABLES LIKE 'validate_password%';
    If information similar to the following figure is returned, the validate_password plug-in is installed. Return result
    Note You can configure custom password policies only when your RDS instance runs MySQL 5.7 on RDS Basic Edition or RDS High-availability Edition. If your RDS instance runs a different database engine version or a different RDS edition, you can install the validate_password plug-in, but you cannot use the plug-in to configure custom password policies.

Step 2: Configure a custom password policy

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Parameters.
  3. Configure the parameters whose names are prefixed by loose_validate_password. For more information, see Modify the parameters of an ApsaraDB RDS for MySQL instance.
    Note Before you configure the parameters, you must install the validate_password plug-in. If the plug-in is not installed, the new parameter settings do not take effect. For more information, see Step 1: Install the validate_password plug-in.
    ParameterDescription
    loose_validate_password_check_user_nameSpecifies whether the password can be the same as the username. Valid values:
    • ON: The password can be the same as the username.
    • OFF: The password cannot be the same as the username.

    Default value: OFF.

    loose_validate_password_policyThe strength of the password. Valid values:
    • 0: The strength of the password is low. ApsaraDB RDS checks only the length of the password.
    • 1: The strength of the password is medium. In addition to the length of the password, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.
    • 2: The strength of the password is high. ApsaraDB RDS checks the length and dictionary file of the password. In addition, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.
      Note The dictionary file cannot be specified. This indicates that the value 1 and the value 2 specify the same password strength.

    Default value: 1.

    loose_validate_password_lengthThe length of the password. Valid values: 0 to 256.

    Default value: 8.

    Note The default password policy that is applied in the ApsaraDB RDS console requires a password length of at least eight characters. The length of each password must be greater than or equal to eight characters even if you set this parameter to 5 in the ApsaraDB RDS console. However, you can execute the SET PASSWORD statement to change the password length to 5 characters.
    loose_validate_password_number_countThe number of digits in the password. Valid values: 0 to 256.

    Default value: 1.

    loose_validate_password_mixed_case_countThe number of uppercase letters and lowercase letters in the password. Valid values: 0 to 256.

    Default value: 1.

    loose_validate_password_special_char_countThe number of special characters in the password. Valid values: 0 to 256.

    Default value: 1.

    Note For more information, see Password Validation Plugin Options and Variables.