Information
Passwords should be configured with a minimum length of 14 characters and should be checked against dictionaries of common, known, and expected passwords.
Rationale:
Long passwords help mitigate dictionary, brute forcing, and other password attacks. Comparing passwords to password dictionaries prevents users from choosing known and easily guessable passwords.
Impact:
Users will not be able to directly set password hashes directly (e.g. SET PASSWORD = '') since this bypasses password validation.
Solution
Install the password check plugins:
INSTALL SONAME 'simple_password_check';
INSTALL SONAME 'cracklib_password_check';
Note A supporting linux distribution package may need to be installed before installing the cracklib plugin. Follow installation guidance on the Cracklib Password Check Plugin page in the References section.
Add the following lines to MariaDB configuration files:
plugin_load_add = simple_password_check
simple_password_check = FORCE_PLUS_PERMANENT
simple_password_check_minimal_length = 14
plugin_load_add = cracklib_password_check
cracklib_password_check = FORCE_PLUS_PERMANENT
strict_password_validation = ON
Consider customizing the password dictionary to include usernames of all MariaDB users and any other risky passwords patterns noted in the Audit Procedure.
Set cracklib_password_check_dictionary if using a customized password dictionary.
Default Value:
Simple Password Check Plugin and Cracklib Password Check Plugin are not installed by default. strict_password_validation is ON by default.