2.9 Require Current Password for Password Reset

Information

Require the current password for password reset.

Rationale:

Requiring a prior password for password reset enables DBAs to prevent users from changing a password without proving that they know the current password. Such changes could otherwise occur, for example, if one user walks away from a terminal session temporarily without logging out, and a malicious user uses the session to change the original user's MySQL password. This can have unfortunate consequences; the most problematic being the malicious user can access MySQL with the user's changed credentials.

Solution

Set the value to ON

SET PERSIST password_require_current=ON;

Default Value:

The password_require_current is OFF by default.

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5

Plugin: MySQLDB

Control ID: b1d4d3c0b155a760dc8ef2e79a8f0803bdc7a5df37c427e42aaad41bb4e56570