{"id":3508,"date":"2020-04-21T08:31:36","date_gmt":"2020-04-21T07:31:36","guid":{"rendered":"http:\/\/dasini.net\/blog\/?p=3508"},"modified":"2020-05-20T11:01:16","modified_gmt":"2020-05-20T10:01:16","slug":"mysql-security-password-expiration-policy","status":"publish","type":"post","link":"https:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/","title":{"rendered":"MySQL Security \u2013 Password Expiration Policy"},"content":{"rendered":"\n<p>When thinking about security within a MySQL installation, you can consider a wide range of possible procedures \/ best practices and how they affect the security of your MySQL server and related applications. <\/p>\n\n\n\n<p>MySQL provides many tools \/ features \/ plugins or components in order to protect your data including some advanced features like <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\"><strong>Transparent Data Encryption<\/strong> (TDE)<\/a>,\u00a0<strong><a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\">Audit<\/a><\/strong>, <strong><a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\">Data Masking &amp; De-Identification<\/a><\/strong>, <strong><a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\">Firewall<\/a><\/strong>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/strong>, <a aria-label=\"Password Reuse Policy (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Password Reuse Policy<\/strong><\/a>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/strong>, <a aria-label=\"Failed-Login Tracking and Temporary Account Locking (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Failed-Login Tracking and Temporary Account Locking<\/strong><\/a>, <strong><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support<\/a><\/strong>, <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\" class=\"aioseop-link\">Connection-Control Plugins<\/a>, Password Validation Component, etc\u2026<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png\" alt=\"MySQL Security\"\/><\/figure><\/div>\n<\/div><\/div>\n\n\n\n<p>Basic password policy practices teaches us :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Each user must have a password<\/li><li>A user&rsquo;s password should be changed periodically<\/li><\/ul>\n\n\n\n<p>However, often this is not enough. Actually, some regulations required&nbsp;that the password is renewed in a timely and appropriate manner (e.g. every 90 days). <\/p>\n\n\n\n<p>In this article, we will see how to establish a <strong>policy for password expiration<\/strong>&nbsp;with MySQL 8.0&nbsp;Password Expiration Policy.<\/p>\n\n\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">TL;DR<\/h3>\n\n\n\n<p class=\"has-text-color has-vivid-cyan-blue-color\">MySQL provides password-expiration capability, which enables database administrators to require that users reset their password.<\/p>\n\n\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Establish a policy for password expiration with MySQL (v3)\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/k4K-scd4oI0?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption>Establish a policy for password expiration with MySQL<\/figcaption><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n\n\n<p>The main goal of <strong><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/password-management.html#password-expiration-policy\" target=\"_blank\">Password Expiration Policy<\/a><\/strong> is to require passwords to be changed periodically.<br>It can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.<\/p>\n\n\n\n<p>There are different clauses a DBA can use with <strong><em>CREATE USER<\/em><\/strong> or <strong><em>ALTER USER<\/em><\/strong> to establish a per account password expiration policy.<\/p>\n\n\n\n<p>Let\u2019s take a closer look using MySQL 8.0.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ mysqlsh daz@localhost --sql\n\nMySQL SQL> SELECT VERSION();\n+-----------+\n| VERSION() |\n+-----------+\n| 8.0.19    |\n+-----------+<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD EXPIRE<\/h2>\n\n\n\n<p>Force user to change its password at the first connection.<\/p>\n\n\n\n<p>Create a user with a <a href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" aria-label=\"random password (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">random password<\/a> and mark that password expired :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-- Mark the password expired so that the user must choose a new one at the first connection to the server\nMySQL SQL> \nCREATE USER 'aUser'@'localhost' IDENTIFIED BY RANDOM PASSWORD PASSWORD EXPIRE;\n+-------+-----------+----------------------+\n| user  | host      | generated password   |\n+-------+-----------+----------------------+\n| aUser | localhost | (wvx3n7jH)bVNi3tOiQV |\n+-------+-----------+----------------------+<\/code><\/pre>\n\n\n\n<p>We can see if the password is expired with <em><strong>mysql.user<\/strong><\/em> table :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSELECT user, host, password_lifetime, password_expired, password_last_changed FROM mysql.user WHERE user = 'aUser' \\G\n*************************** 1. row ***************************\n                 user: aUser\n                 host: localhost\n    password_lifetime: NULL\n     password_expired: Y\npassword_last_changed: 2020-04-01 12:31:57<\/code><\/pre>\n\n\n\n<p>Note that <em><strong>password_expired<\/strong><\/em> column is <strong>Y<\/strong>.<\/p>\n\n\n\n<p>In clear, this new MySQL user will be able to connect to the server but he must reset its password before being able to executing statements<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ mysql -u aUser -p\nEnter password: \n...\n\n\nmysql> SELECT USER();\nERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.\n\n\nmysql> ALTER USER user() IDENTIFIED BY 'n3w_pAssw0rd';\nQuery OK, 0 rows affected (0.01 sec)\n\n\nmysql> SELECT USER();\n+-----------------+\n| USER()          |\n+-----------------+\n| aUser@localhost |\n+-----------------+<\/code><\/pre>\n\n\n\n<p>Column <em><strong>password_expired<\/strong><\/em> is now <strong>N<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSELECT user, host, password_lifetime, password_expired, password_last_changed FROM mysql.user WHERE user = 'aUser' \\G\n*************************** 1. row ***************************\n                 user: aUser\n                 host: localhost\n    password_lifetime: NULL\n     password_expired: N\npassword_last_changed: 2020-04-01 12:41:25<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD EXPIRE INTERVAL n DAY<\/h2>\n\n\n\n<p>Force user to change its password every N days.<\/p>\n\n\n\n<p>Create a user with password that will expire in 90 days :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \n-- Require that a new password be chosen every 90 days\nCREATE USER 'aNewUser'@'localhost' IDENTIFIED BY 'aN3w_pAssw0rd' PASSWORD EXPIRE INTERVAL 90 DAY;<\/code><\/pre>\n\n\n\n<p>We can see the password options in the <em><strong>mysql.user<\/strong><\/em> table :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSELECT user, host, password_lifetime, password_expired, password_last_changed FROM mysql.user WHERE user = 'aNewUser'\\G\n*************************** 1. row ***************************\n                 user: aNewUser\n                 host: localhost\n    password_lifetime: 90\n     password_expired: N\npassword_last_changed: 2020-04-01 15:40:14<\/code><\/pre>\n\n\n\n<p>Note that <em><strong>password_lifetime<\/strong><\/em> column is 90.<\/p>\n\n\n\n<p>After 90 days any statement will generate <strong><em>error 1820<\/em><\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ mysql -u aNewUser -p\n...\n\n\nmysql {aNewUser}> SELECT USER();\nERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.<\/code><\/pre>\n\n\n\n<p>Password could be reset with <strong><em>ALTER USER<\/em><\/strong> command :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql {aNewUser}> \nALTER USER user() IDENTIFIED BY '4noth3r_pa5sw0rd';\nQuery OK, 0 rows affected (0.01 sec)\n\n\nmysql {aNewUser}> SELECT USER();\n+--------------------+\n| USER()             |\n+--------------------+\n| aNewUser@localhost |\n+--------------------+\n<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD EXPIRE DEFAULT<\/h2>\n\n\n\n<p>This clause sets the account so that the global password expiration policy applies, as specified by the <strong><em>default_password_lifetime<\/em><\/strong> system variable.<\/p>\n\n\n\n<p>The default <strong><em>default_password_lifetime<\/em><\/strong> value is <strong>0<\/strong>, which disables automatic password expiration. <br>If the value of <strong><em>default_password_lifetime<\/em><\/strong> is a positive integer N, it indicates the permitted password lifetime; passwords must be changed every N days.<\/p>\n\n\n\n<p><strong><em>default_password_lifetime<\/em><\/strong> can be set in the MySQL configuration file but it can also be set and persisted at runtime using <strong><em>SET PERSIST<\/em><\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSET PERSIST default_password_lifetime = 30;<\/code><\/pre>\n\n\n\n<p>The same behavior can be achieved using the configuration file (usually  my.cnf or my.ini) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;mysqld]\ndefault_password_lifetime = 30<\/code><\/pre>\n\n\n\n<p>but it will require a server restart.<\/p>\n\n\n\n<p>To defer the global expiration policy for an account you should use <em><strong>Password Expire Default<\/strong><\/em> clause :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nCREATE USER olivier@localhost  PASSWORD EXPIRE DEFAULT;\n\n\nALTER USER aNewUser@localhost PASSWORD EXPIRE DEFAULT;<\/code><\/pre>\n\n\n\n<p>Lastly, to establish a global policy such that passwords never expire, set <strong><em>default_password_lifetime<\/em><\/strong> to <strong>0<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSET PERSIST default_password_lifetime = 0;\n\n\nSHOW VARIABLES LIKE 'default_password_lifetime';\n+---------------------------+-------+\n| Variable_name             | Value |\n+---------------------------+-------+\n| default_password_lifetime | 0     |\n+---------------------------+-------+<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD EXPIRE NEVER<\/h2>\n\n\n\n<p>It\u2019s also possible to disable password expiration for an account.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \n-- Disables password expiration for the account so that its password never expires\nCREATE USER 'pingDB'@'localhost' IDENTIFIED BY 'A-p45swOrd' PASSWORD EXPIRE NEVER;\n\n\nSELECT user, host, password_lifetime, password_expired, password_last_changed FROM mysql.user WHERE user = 'pingDB'\\G\n*************************** 1. row ***************************\n                 user: pingDB\n                 host: localhost\n    password_lifetime: 0\n     password_expired: N\npassword_last_changed: 2020-04-02 12:42:03<\/code><\/pre>\n\n\n\n<p>Note that <strong><em>password_lifetime<\/em><\/strong> column is <strong>0<\/strong>.<\/p>\n\n\n\n<p>This expiration option overrides the global policy for all accounts named by the statement.<\/p>\n\n\n\n\n\n\n\n<h2 class=\"wp-block-heading\">To Go Further<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" class=\"aioseop-link\"><span style=\"text-decoration: underline;\">Olivier&rsquo;s MySQL Channel<\/span><\/a><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/youtu.be\/k4K-scd4oI0\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Establish a policy for password expiration with MySQL\">Establish a policy for password expiration with MySQL<\/a><\/li><li><a href=\"https:\/\/youtu.be\/VND0KvuX7bc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Create users with a random password in MySQL\">Create users with a random password in MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=4z6-dlGT-Mc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Enable restrictions on reuse of previous passwords with MySQL\">Enable restrictions on reuse of previous passwords with MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=1RwlU14TDWk\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Require MySQL users to provide their current password to change it\">Require MySQL users to provide their current password to change it<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=6HO_ciRbiXw\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Temporary Account Locking in MySQL\">Temporary Account Locking in MySQL<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">Reference Manual<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a rel=\"noreferrer noopener\" aria-label=\"Password Expiration Policy? (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/password-management.html#password-expiration-policy\" target=\"_blank\">Password Expiration Policy<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/server-system-variables.html#sysvar_default_password_lifetime\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"default_password_lifetime? (opens in a new tab)\">default_password_lifetime<\/a><\/li><li><a rel=\"noreferrer noopener\" aria-label=\"Server Handling of Expired Passwords (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/expired-password-handling.html\" target=\"_blank\">Server Handling of Expired Passwords<\/a><\/li><\/ul>\n\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-security-excerpt\/8.0\/en\/\">Security in MySQL<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-secure-deployment-guide\/8.0\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"MySQL 8.0 Secure Deployment Guide? (opens in a new tab)\">MySQL 8.0 Secure Deployment Guide<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"MySQL 8.0 Reference Manual \u2013 Security (opens in a new tab)\">MySQL 8.0 Reference Manual \u2013 Security<\/a><\/li><\/ul>\n<\/div><\/div>\n\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie &#8211; Password Management<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a aria-label=\"Random Password Generation? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/li><li><a aria-label=\"Password Expiration Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Expiration Policy<\/a><\/li><li><a aria-label=\"Password Reuse Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Reuse Policy<\/a><\/li><li><a aria-label=\"Password Verification-Required Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/li><li><a aria-label=\"Failed-Login Tracking and Temporary Account Locking? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Failed-Login Tracking and Temporary Account Locking<\/a><\/li><li><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\"Dual Password Support (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie<\/span> (1st edition)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/\" target=\"_blank\">Password Validation Plugin<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/\" target=\"_blank\">Password Management<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/\" target=\"_blank\">User Account Locking<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\">The Connection-Control Plugins<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\">Enterprise Audit<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\">Enterprise Transparent Data Encryption (TDE)<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\">Enterprise Firewall<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\">Enterprise Data Masking and De-Identification<\/a> <\/li><\/ul>\n\n\n\n\n\n\n\n<div style=\"height:75px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using MySQL!<\/strong><\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/groups\/12524512\/\" target=\"_blank\" rel=\"noopener\" title=\"Olivier DASINI on Linkedin\">Follow me on Linkedin<\/a><\/p>\n\n\n\n<p>Watch my videos on my <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier's MySQL Channel\">YouTube channel<\/a> and <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\/?sub_confirmation=1\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Subscribe\">subscribe<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/www.slideshare.net\/freshdaz\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Slideshare\">Slideshare account<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/speakerdeck.com\/freshdaz\/\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Speaker Deck\">Speaker Deck account<\/a>.<\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using HeatWave &amp; MySQL!<\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>MySQL provides password-expiration capability, which enables database administrators to require that users reset their password.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[203,365,339],"tags":[689,1626,371,690,367],"class_list":["post-3508","post","type-post","status-publish","format-standard","hentry","category-mysql-en","category-security","category-tuto-en","tag-hipaa","tag-password","tag-password-expiration","tag-pci-dss","tag-security"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9LfWW-UA","jetpack-related-posts":[{"id":2156,"url":"https:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/","url_meta":{"origin":3508,"position":0},"title":"MySQL Security \u2013 Password Management","author":"Olivier DASINI","date":"7 mars 2018","format":false,"excerpt":"Some regulations required\u00a0that the password is renewed in a timely and appropriate manner (e.g. every 90 days). In this article, 2nd of the MySQL 5.7 Security series, we will see how to\u00a0to establish a policy for password expiration\u00a0with MySQL 5.7\u00a0Password\u00a0Management.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3557,"url":"https:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/","url_meta":{"origin":3508,"position":1},"title":"MySQL Security &#8211; Random Password Generation","author":"Olivier DASINI","date":"15 avril 2020","format":false,"excerpt":"MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/VND0KvuX7bc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3567,"url":"https:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/","url_meta":{"origin":3508,"position":2},"title":"MySQL Security &#8211; Dual Password Support","author":"Olivier DASINI","date":"19 mai 2020","format":false,"excerpt":"Dual-password capability makes it possible to seamlessly perform credential changes without downtime.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2177,"url":"https:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/","url_meta":{"origin":3508,"position":3},"title":"MySQL Security &#8211; User Account Locking","author":"Olivier DASINI","date":"14 mars 2018","format":false,"excerpt":"For security reasons some context require you to setup a user account locking policy. Thus an unauthorized user is not able (anymore) to login to the MySQL server. In this 3rd article of the\u00a0MySQL 5.7 Security series, we\u00a0will see how to [un]lock a user account.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3535,"url":"https:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/","url_meta":{"origin":3508,"position":4},"title":"MySQL Security &#8211; Password Reuse Policy","author":"Olivier DASINI","date":"28 avril 2020","format":false,"excerpt":"MySQL provides password-reuse capability, which allows database administrators to determine the number of unique passwords a user must use before they can use an old password again.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/4z6-dlGT-Mc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3561,"url":"https:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/","url_meta":{"origin":3508,"position":5},"title":"MySQL Security &#8211; Password Verification-Required Policy","author":"Olivier DASINI","date":"5 mai 2020","format":false,"excerpt":"MySQL 8.0 has introduced an optional behavior that authorize users to change their password only if they could provide the current password.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/1RwlU14TDWk\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/comments?post=3508"}],"version-history":[{"count":56,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3508\/revisions"}],"predecessor-version":[{"id":3715,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3508\/revisions\/3715"}],"wp:attachment":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/media?parent=3508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/categories?post=3508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/tags?post=3508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}