2.10 Use Dual Passwords to Enable Higher Frequency Password Rotation

Information

Dual passwords act as a tool to encourage password rotations in cases where a synchronized password change is not viable. By having a time delta to have old and new passwords in place, the process of replacing old passwords with new passwords within applications is simplified.

Rationale:

Too often passwords used by applications are not changed regularly because of the difficulty in timing for propagating the new password, keeping the applications connected, and connection failures due to race conditions. If it is difficult to perform a synchronized change you can optionally use dual passwords to simplify the task of password rotation.

Impact:

If the original password isn't removed upon completion of the password rotation process, the potential risk for a compromise is increased.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To set dual passwords execute the following ALTER command:

ALTER USER '<user>'@'<hostname>'
IDENTIFIED BY '<new_password>'
RETAIN CURRENT PASSWORD;

Once the new password has been distributed DISCARD the old password using ALTER:

ALTER USER '<user>'@'<hostname>'
DISCARD OLD PASSWORD;

See Also

https://workbench.cisecurity.org/benchmarks/12903