7.1 Ensure default_authentication_plugin is Set to a Secure Option

Information

The -default-authentication-plugin system variable governs two things:

Authentication plugin used by a new user account if a plugin is not specified explicitly through CREATE USER statement

Initial authentication data payload generated by server in case of a new connection.

Rationale:

MySQL Native Authentication relies on the Secure Hash Algorithm 1 (SHA1) algorithm and the National Institute of Standards and Technology (NIST) has suggested to stop using it.

The MySQL Native Authentication plugin leverages this weak hashing algorithm that can be quickly brute forced.

Solution

Configure mysql to default to the sha256_password plugin.

Require sha256_password plugin to be used by default for new accounts.

Edit my.cnf, in the section [mysqld] add:

default_authentication_plugin= sha256_password

Determine if any users are using mysql_native_password.

select host, user, plugin from mysql.user;

Migrate these users from mysql_native_password.

ALTER USER user
IDENTIFIED WITH sha256_password IDENTIFIED BY RANDOM PASSWORD PASSWORD EXPIRE;

Provide users the random password value through a secure mechanism - on next login they will be forced to change the password.

Default Value:

mysql_native_password

See Also

https://workbench.cisecurity.org/files/3844

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: MySQLDB

Control ID: f5f354be50a7c38437fb6d58ecfc543006be0b60fab0734c5bd7886092baeb03