To prevent malicious password attacks, OceanBase Database allows you to set a password complexity function as needed to verify the logon identity and improve database security. This topic describes how to set password complexity for users who attempt to log on to OceanBase Database.
Related variables
In the MySQL mode of OceanBase Database, you can specify password complexity rules by configuring a series of tenant-level system variables. When you create a user or change a user’s logon password, the logon password is verified based on the configured system variables. If the password verification fails, an error will be reported. The following table describes the relevant system variables.
| Variable | Description | Usage notes |
|---|---|---|
| validate_password_check_user_name | Whether the user password can be the same as the username. |
|
| validate_password_length | The minimum length of a user’s password. | Default value: 0. |
| validate_password_mixed_case_count | The minimum number of uppercase or lowercase letters required in a user’s password. | Default value: 0. |
| validate_password_number_count | The minimum number of digits required in a user’s password. | Default value: 0. |
| validate_password_policy | The password check policy. |
|
| validate_password_special_char_count | The minimum number of special characters required in a user’s password. | Default value: 0. |
Set password complexity
Notice
In a production environment, it is recommended to set a password length of 20 characters, including digits, uppercase letters, lowercase letters, and special characters. The lower the complexity of the password, the greater the likelihood that it will be cracked, such as including the username, using repeated characters, etc. For security reasons, it is necessary to ensure that user passwords have high complexity.
The following example provides guidance on setting password complexity rules. In this example, the password has a minimum length of 8 characters, including at least 3 uppercase letters, 3 lowercase letters, and 1 special character; the password cannot be the same as the username, and the password check policy is set to medium.
Log on to a MySQL tenant of a cluster as the root user.
obclient -uroot@mysql -P2881 -h10.xxx.xxx.1 -p*******Set password complexity through system variables.
obclient> SET GLOBAL validate_password_check_user_name=on; obclient> SET GLOBAL validate_password_length=8; obclient> SET GLOBAL validate_password_mixed_case_count=3; obclient> SET GLOBAL validate_password_special_char_count=1; obclient> SET GLOBAL validate_password_policy='medium';Log off and log on again to check whether the variables have taken effect.
obclient> SHOW VARIABLES LIKE 'validate%'; +--------------------------------------+--------+ +--------------------------------------+--------+ | VARIABLE_NAME | VALUE | +--------------------------------------+--------+ | validate_password_check_user_name | on | | validate_password_length | 8 | | validate_password_mixed_case_count | 3 | | validate_password_number_count | 0 | | validate_password_policy | medium | | validate_password_special_char_count | 1 | +--------------------------------------+--------+ 6 rows in set (0.00 sec)Verify password complexity.
Create two users, one with a password that meets the requirements and the other with a password that does not.
obclient> CREATE USER sectest1 IDENTIFIED BY '******'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements obclient> CREATE USER sectest1 IDENTIFIED BY '***1_%'; Query OK, 0 rows affectedThe creation of the user with a password that does not meet the requirements fails.