2.9 Require Current Password for Password Reset

Information

Require the current password for password reset.

Rationale:

Requiring a prior password for password reset enables DBAs to prevent users from changing a password without proving that they know the current password. Such changes could otherwise occur, for example, if one user walks away from a terminal session temporarily without logging out, and a malicious user uses the session to change the original user's MySQL password. This can have unfortunate consequences; the most problematic being the malicious user can access MySQL with the user's changed credentials.

Solution

Set the value to ON

SET PERSIST password_require_current=ON;

Default Value:

The password_require_current is OFF by default.

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5

Plugin: MySQLDB

Control ID: ca0c40bb41744a2c2d657a1c62d5875382972a91fa02878791a949a5d902d09c