7.1 Ensure 'old_passwords' Is Not Set to '1' - ON

Information

This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0, or 1. As of 5.6.6, the value can be one of the following:

0 - authenticate with the mysql_native_password plugin

1 - authenticate with the mysql_old_password plugin

2 - authenticate with the sha256_password plugin

Rationale:

When old_passwords is set to 1 the PASSWORD() function will create password hashes with a very weak hashing algorithm which might be easy to break if captured by an attacker.

Solution

Configure mysql to leverage the mysql_native_password or sha256_password plugin. For more information, see:

https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html

https://dev.mysql.com/doc/refman/5.6/en/sha256-pluggable-authentication.html

Default Value:

0

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: 26d03827efdbbe4e1b6d3a3e9e64afb6aa6513d5af7be3003a553dc07fb6b0b6