7.2 Ensure 'secure_auth' is Set to 'ON' - ON

Information

This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format.

Rationale:

Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network).

Impact:

Accounts having credentials stored using the old password format will be unable to login. Execute the following command to identify accounts that will be impacted by implementing this setting:

SELECT User,Host FROM mysql.user WHERE plugin='mysql_old_password';

Solution

Add the following line to [mysqld] portions of the MySQL option file to establish the recommended state:

secure_auth=ON

Default Value:

Prior to MySQL 5.6.5, this option was disabled by default. As of MySQL 5.6.5, it is enabled by default.

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: 77c3429ec83f20aada3ecee998d141de69f26f7b32d57c502419e57e6fcdfdf4