All Products
Search

This Product

    ApsaraDB RDS:Configure a custom password policy

    Document Center

    ApsaraDB RDS:Configure a custom password policy

    Last Updated:Oct 31, 2024

    This topic describes how to configure a custom password policy for an ApsaraDB RDS for MySQL instance. You can use custom password policies to ensure the security of your RDS instance.

    Prerequisites

    The minor engine version of your RDS instance is updated to the latest version. For more information, see Update the minor engine version.

    Usage notes

    When you configure or modify a custom password policy in the ApsaraDB RDS console, the custom password policy cannot take precedence over the following default password policy:

    • The password must be 8 to 32 characters in length.

    • The password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

    • The password can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =

    Feature description

    If your RDS instance runs MySQL 8.0 or MySQL 5.7, you can use the validate_password extension to modifies the rules that are used to check password complexity. You must specify the following password complexity rules in a custom password policy:

    • Whether the password can be the same as the username

    • The length of the password

    • The number of uppercase letters and lowercase letters in the password

    • The number of digits in the password

    • The number of special characters in the password

    • The strength of the password

    Step 1: Install validate_password

    1. Connect to your RDS instance. For more information, see Connect to an ApsaraDB RDS for MySQL instance.

      Note

      You must use the privileged account of your RDS instance to connect to your RDS instance. For more information, see Create a privileged account.

    2. Execute the following statement in the SQL window to install validate_password: 

      INSTALL PLUGIN validate_password SONAME 'validate_password.so';

    3. Execute the following statement in the SQL window to check whether validate_password is installed: 

      SHOW GLOBAL VARIABLES LIKE 'validate_password%';

      If information similar to the following figure is returned, validate_password is installed.返回结果

    Step 2: Configure a custom password policy

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane of the page that appears, click Parameters.

    3. Configure the parameters whose names are prefixed by loose_validate_password. For more information, see Modify instance parameters.

      Note

      Before you modify the parameters, you must install validate_password. If validate_password is not installed, the new parameter settings do not take effect. For more information, see Step 1: Install validate_password.

      Parameter

      Description

      loose_validate_password_check_user_name

      Specifies whether the password can be the same as the username. Valid values:

      • ON: The password can be the same as the username.

      • OFF: The password cannot be the same as the username.

      Default value: ON.

      loose_validate_password_policy

      The strength of the password. Valid values:

      • 0: The strength of the password is low. ApsaraDB RDS checks only the length of the password.

      • 1: The strength of the password is medium. In addition to the length of the password, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.

      • 2: The strength of the password is high. ApsaraDB RDS checks the length and dictionary file of the password. In addition, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.

        Note

        The dictionary file cannot be specified. This indicates that values 1 and 2 specify the same password strength.

      Default value: 1.

      loose_validate_password_length

      The length of the password. Valid values: 0 to 256.

      Default value: 8.

      Note

      The default password policy that is applied in the ApsaraDB RDS console requires a password length of at least eight characters. The length of each password must be greater than or equal to eight characters even if you set this parameter to 5 in the ApsaraDB RDS console. However, you can execute the SET PASSWORD statement to change the password length to 5 characters.

      loose_validate_password_number_count

      The number of digits in the password. Valid values: 0 to 256.

      Default value: 1.

      loose_validate_password_mixed_case_count

      The number of uppercase letters and lowercase letters in the password. Valid values: 0 to 256.

      Default value: 1.

      loose_validate_password_special_char_count

      The number of special characters in the password. Valid values: 0 to 256.

      Default value: 1.

      Note

      For more information, see open source MySQL documentation.