OceanBase Database allows you to set password complexity in MySQL mode, in order to verify the identity of logon users, prevent malicious password attacks, thereby improving database security. This topic describes how to set password complexity for users who attempt to log on to OceanBase Database.
Related variables
In MySQL mode of OceanBase Database, you can set a series of tenant-level system variables to define password complexity rules. When a user is created or when a user changes the logon password, the password is verified according to the system variable settings. If the password verification fails, an error is returned. The following table describes the related system variables:
| Variable | Description | Value Range |
|---|---|---|
| validate_password_check_user_name | Specifies whether the user password can be identical to the username. |
|
| validate_password_length | The minimum length of a user's password. | Default value: 0. |
| validate_password_mixed_case_count | The minimum number of uppercase or lowercase letters required in a user's password. | Default value: 0. |
| validate_password_number_count | The minimum number of digits required in a user's password. | Default value: 0. |
| validate_password_policy | Password check policy. |
|
| validate_password_special_char_count | The minimum number of special characters required in a user's password. | Default value: 0. |
Set password complexity
Notice:
In a production environment, it is recommended to set a password length of 20 characters, including digits, uppercase letters, lowercase letters, and special characters. The lower the complexity of the password, the greater the likelihood that it will be cracked, such as including the username, using repeated characters, etc. For security reasons, it is necessary to ensure that user passwords have high complexity.
The following example provides guidance on setting password complexity rules. In this example, the password has a minimum length of 8 characters, including at least 3 uppercase or lowercase letters, and 1 special character. The password cannot be identical to the username, and the password check policy is set to medium.
Log on to a MySQL tenant of a cluster using the root user.
obclient -uroot@mysql -P2881 -h10.xxx.xxx.1 -p***1***Set password complexity through system variables.
obclient> SET GLOBAL validate_password_check_user_name=on; obclient> SET GLOBAL validate_password_length=8; obclient> SET GLOBAL validate_password_mixed_case_count=3; obclient> SET GLOBAL validate_password_special_char_count=1; obclient> SET GLOBAL validate_password_policy='medium';Log out and log in again to check whether the variables are effective.
obclient> SHOW VARIABLES LIKE 'validate%'; +--------------------------------------+--------+ +--------------------------------------+--------+ | VARIABLE_NAME | VALUE | +--------------------------------------+--------+ | validate_password_check_user_name | on | | validate_password_length | 8 | | validate_password_mixed_case_count | 3 | | validate_password_number_count | 0 | | validate_password_policy | medium | | validate_password_special_char_count | 1 | +--------------------------------------+--------+ 6 rows in set (0.00 sec)Verify password complexity.
Create two users, one with a password that meets the requirements and the other with a password that does not meet the requirements.
obclient> CREATE USER sectest1 IDENTIFIED BY '***1**'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements obclient> CREATE USER sectest1 IDENTIFIED BY '***1_%'; Query OK, 0 rows affectedThe creation of the user with a password that does not meet the requirements fails.