2.7 Ensure Password Complexity is Configured - validate_password_policy

Information

Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure password storage. In keeping with the overall goal of having users create a password that is not overly weak, it's best to have at least 14 characters for a password only account.

Rationale:

Malicious actors regularly attempt to compromise databases by attacking or guessing passwords. Stolen credentials may be used to gain access to steal information, engage in financial fraud, and more.

By enforcing practical and secure policies, end user cooperation grows. In general, longer passwords are better (harder to crack), but a forced password length requirement can cause user behavior that is predictable and undesirable. Having a reasonable minimum length with no maximum character limit increases the resulting average password length used and thus increases the security of that password.

Impact:

Enforcing too much complexity or length may be difficult for users to memorize. This may cause users to use predictable patterns or other bad practices, resulting in weaker passwords.

Solution

If not already present in the my.cnf, add this line:

plugin-load=validate_password.so

Set password policies in accordance with the organizationally defined policy and security best practices:

set global validate_password_dictionary_file='<FILENAME OF DICTIONARY FILE>';
set global validate_password_length=14;
set global validate_password_policy='STRONG';

Use with care. Passwords that are too complex in nature make it harder for users to remember, leading to bad practices.

set global validate_password_mixed_case_count=1;
set global validate_password_special_char_count=1;
set global validate_password_number_count=1;

Default Value:

The MySQL validate password complexity plugin is not used by default.

See Also

https://workbench.cisecurity.org/files/3844

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: MySQLDB

Control ID: d61640f4e20bd25fca8a81d48d0b65fd89103723ee89966f9baf62cdde5fd815