This topic describes how to configure a custom password policy for an ApsaraDB RDS for MySQL instance. You can use custom password policies to ensure the security of your RDS instance.
Prerequisites
Your RDS instance runs MySQL 5.7.
The minor engine version of your RDS instance is updated to the latest version. For more information, see Update the minor engine version.
Usage notes
When you configure or modify a custom password policy in the ApsaraDB RDS console, the custom password policy cannot take precedence over the following default password policy:
The password must be 8 to 32 characters in length.
The password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.
The password can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =
Feature description
If your RDS instance runs MySQL 5.7, you can use the validate_password
extension to modifies the rules that are used to check password complexity. You must specify the following password complexity rules in a custom password policy:
Whether the password can be the same as the username
The length of the password
The number of uppercase letters and lowercase letters in the password
The number of digits in the password
The number of special characters in the password
The strength of the password
Step 1: Install validate_password
Connect to your RDS instance. For more information, see Connect to an ApsaraDB RDS for MySQL instance.
NoteYou must use the privileged account of your RDS instance to connect to your RDS instance. For more information, see Create a privileged account.
Execute the following statement in the SQL window to install
validate_password
:INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Execute the following statement in the SQL window to check whether validate_password is installed:
SHOW GLOBAL VARIABLES LIKE 'validate_password%';
If information similar to the following figure is returned, validate_password is installed.
Step 2: Configure a custom password policy
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Parameters.
Configure the parameters whose names are prefixed by loose_validate_password. For more information, see Modify instance parameters.
NoteBefore you modify the parameters, you must install validate_password. If validate_password is not installed, the new parameter settings do not take effect. For more information, see Step 1: Install validate_password.
Parameter
Description
loose_validate_password_check_user_name
Specifies whether the password can be the same as the username. Valid values:
ON: The password can be the same as the username.
OFF: The password cannot be the same as the username.
Default value: ON.
loose_validate_password_policy
The strength of the password. Valid values:
0: The strength of the password is low. ApsaraDB RDS checks only the length of the password.
1: The strength of the password is medium. In addition to the length of the password, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.
2: The strength of the password is high. ApsaraDB RDS checks the length and dictionary file of the password. In addition, ApsaraDB RDS checks the number of digits, number of uppercase letters and lowercase letters, and number of special characters in the password.
NoteThe dictionary file cannot be specified. This indicates that values 1 and 2 specify the same password strength.
Default value: 1.
loose_validate_password_length
The length of the password. Valid values: 0 to 256.
Default value: 8.
NoteThe default password policy that is applied in the ApsaraDB RDS console requires a password length of at least eight characters. The length of each password must be greater than or equal to eight characters even if you set this parameter to 5 in the ApsaraDB RDS console. However, you can execute the
SET PASSWORD
statement to change the password length to 5 characters.loose_validate_password_number_count
The number of digits in the password. Valid values: 0 to 256.
Default value: 1.
loose_validate_password_mixed_case_count
The number of uppercase letters and lowercase letters in the password. Valid values: 0 to 256.
Default value: 1.
loose_validate_password_special_char_count
The number of special characters in the password. Valid values: 0 to 256.
Default value: 1.
NoteFor more information, see open source MySQL documentation.