The password complexity rules of OceanBase Database in MySQL mode are compatible with those of MySQL Database. To protect OceanBase Database from malicious password attacks and improve database security, you can set a password complexity function as needed to authenticate user identity.
Password complexity rules
OceanBase Database in MySQL mode allows you to specify password complexity rules by using a series of system variables. The following table describes the system variables.
| Variable | Description | Note |
|---|---|---|
| validate_password_check_user_name | Specifies whether the user password can be identical with the username. |
|
| validate_password_length | The minimum length of the user password. | Default value: 0. |
| validate_password_mixed_case_count | The minimum number of letters that a user password must contain. | Default value: 0. |
| validate_password_number_count | The minimum number of digits that a user password must contain. | Default value: 0. |
| validate_password_policy | The password check strategy. |
|
| validate_password_special_char_count | The minimum number of special characters that a user password must contain. | Default value: 0. |
For more information about variables, see System variables.
Set password complexity rules
This section describes how to set a password complexity rule that specifies that a user password must be at least 8 characters in length and contain at least 3 uppercase letters, 3 lowercase letters, and 1 special character. In addition, the rule specifies that a user password cannot be identical with the username and that the medium check strategy applies.
Log on to a MySQL tenant of the cluster as the administrator user.
Set the values of variables.
obclient> SET GLOBAL validate_password_check_user_name=on; obclient> SET GLOBAL validate_password_length=8; obclient> SET GLOBAL validate_password_mixed_case_count=3; obclient> SET GLOBAL validate_password_special_char_count=1; obclient> SET GLOBAL validate_password_policy='medium';Log off and log on again to verify whether the settings have taken effect.
obclient> SHOW VARIABLES LIKE 'validate%'; +--------------------------------------+--------+ +--------------------------------------+--------+ | VARIABLE_NAME | VALUE | +--------------------------------------+--------+ | validate_password_check_user_name | on | | validate_password_length | 8 | | validate_password_mixed_case_count | 3 | | validate_password_number_count | 0 | | validate_password_policy | medium | | validate_password_special_char_count | 1 | +--------------------------------------+--------+ 6 rows in set (0.00 sec)Create users to verify the password complexity rules.
Create two users. Set a valid password for one user and an invalid password for the other user.
obclient> CREATE USER sectest1 IDENTIFIED BY '******'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements obclient> CREATE USER sectest1 IDENTIFIED BY '******'; Query OK, 0 rows affected