AprasaDB RDS for MariaDB Password Validation

By Decai Xu

1. Best Practice Overview

The importance of database security is self-evident. The configuration of database account passwords should ensure sufficient complexity to prevent brute force attacks. The database account created by AprasaDB RDS for MariaDB on the console have a comprehensive password validation policy. Customers are unable to create passwords with low complexity. However, it is still possible to create accounts with weak passwords through the command line, which should be avoided.

This article introduces the password validation strategy of the AprasaDB RDS for MariaDB instance console and discusses the risk of creating weak passwords through the command line, along with the installation of the MariaDB password validation plugin.

2. Prerequisites

Before getting started, please ensure that you have registered for an Alibaba Cloud account with valid payment information.

Register your Alibaba Cloud account and finish real-name registration. Log on to your Alibaba Cloud account and go to Account Center to check your account status.
Add valid payments to your Alibaba Cloud account. Log in and go to Alibaba Cloud User Center to check the balance.
Once your account is ready, activate and launch the following Alibaba Cloud services and resources:
AprasaDB RDS for MariaDB

3. Process

3.1. Prepare Resources

In this part, an RDS for MariaDB instance will be launched to serve as the test database. If you already have running RDS for MariaDB instance, please skip this part.

3.1.1 Go to the RDS purchase page and select a specific region to deploy the test database with proper specifications:

3.1.2 Select a VPC and Vswitch in which the RDS instance will be deployed.

3.1.3 Go through all the configurations, confirm your order, and complete the payment.

As shown in the example above, a 1C2G MariaDB RDS instance with 20GB storage will be created in a selected region.

3.2. Testing

3.2.1 Create database privileged account on RDS console

The password must be 8 to 32 characters in length and must contain at least three of the following types: uppercase letters, lowercase letter, digits, and special characters. Special characters include ! @ # $ % ^ & * () _ + - =。

3.2.2 Logon the database by privileged account

3.2.3 Create account with low complexity password on DMS console.

3.2.4 install the MariaDB password validation plugin

3.2.5 Check the variables that password validation

simple_password_check_digits: A password must contain at least this many digits.
simple_password_check_letters_same_case: A password must contain at least this many upper-case and this many lower-case letters.
simple_password_check_minimal_length: A password must contain at least this many characters.
simple_password_check_other_characters: A password must contain at least this many characters that are neither digits nor letters.

For this password validation policy: the password must be 8 characters and must contain at least 1 digit, 1 upper-case letter,1 lower-case letter, 1 special character.