{"id":3561,"date":"2020-05-05T08:28:53","date_gmt":"2020-05-05T07:28:53","guid":{"rendered":"http:\/\/dasini.net\/blog\/?p=3561"},"modified":"2020-05-20T11:03:12","modified_gmt":"2020-05-20T10:03:12","slug":"mysql-security-password-verification-required-policy","status":"publish","type":"post","link":"https:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/","title":{"rendered":"MySQL Security &#8211; Password Verification-Required Policy"},"content":{"rendered":"\n<p>When thinking about security within a MySQL installation, you can consider a wide range of possible procedures \/ best practices and how they affect the security of your MySQL server and related applications. <\/p>\n\n\n\n<p>MySQL provides many tools \/ features \/ plugins or components in order to protect your data including some advanced features like <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\"><strong>Transparent Data Encryption<\/strong> (TDE)<\/a>,\u00a0<strong><a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\">Audit<\/a><\/strong>, <strong><a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\">Data Masking &amp; De-Identification<\/a><\/strong>, <strong><a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\">Firewall<\/a><\/strong>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/strong>, <a aria-label=\"Password Expiration Policy (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Password Expiration Policy<\/strong><\/a>, <a aria-label=\"Password Reuse Policy (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Password Reuse Policy<\/strong><\/a>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Failed-Login Tracking and Temporary Account Locking<\/a><\/strong>, <strong><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support<\/a><\/strong>, <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\">Connection-Control Plugins<\/a>, Password Validation Component, etc\u2026<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png\" alt=\"MySQL Security\"\/><\/figure><\/div>\n<\/div><\/div>\n\n\n\n<p>Basic password policy practices teaches us :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Each user must have a password<\/li><li>A user&rsquo;s password should be changed periodically<\/li><\/ul>\n\n\n\n<p>However, often this is not enough.<br><a aria-label=\"Password Verification-Required Policy (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/password-management.html#password-reverification-policy\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Password Verification-Required Policy<\/strong><\/a> can help you to protect your database. <br>It will make it harder to modify a user\u2019s password if someone get access to user\u2019s session and not the credentials themselves.<\/p>\n\n\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">TL;DR<\/h3>\n\n\n\n<p class=\"has-text-color has-vivid-cyan-blue-color\">MySQL 8.0 has introduced an optional behavior that authorize users to change their password only if they could provide the current password.<\/p>\n\n\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Authorize MySQL users to change their password only if they can provide the current password\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/1RwlU14TDWk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption>Require MySQL users to provide their current password to change it<\/figcaption><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n\n\n<p>There are different clauses a DBA can use with <strong><em>CREATE USER<\/em><\/strong> or <strong><em>ALTER USER<\/em><\/strong> to establish a per account password verification-required policy.<\/p>\n\n\n\n<p>Let\u2019s play using MySQL 8.0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> SELECT VERSION();\n+-----------+\n| VERSION() |\n+-----------+\n| 8.0.19    |\n+-----------+<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD REQUIRE CURRENT<\/h2>\n\n\n\n<p>Require that password changes specify the current password.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Syntax<\/span>:<br> CREATE USER &lt;user&gt;@&lt;host&gt; PASSWORD REQUIRE CURRENT;<br> ALTER   USER &lt;user&gt;@&lt;host&gt; PASSWORD REQUIRE CURRENT;<\/p>\n\n\n\n\n\n<p>Create a user account with a password generated by MySQL and enable the password verification required policy :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nCREATE USER olivier@localhost IDENTIFIED BY RANDOM PASSWORD PASSWORD REQUIRE CURRENT;\n+---------+-----------+----------------------+\n| user    | host      | generated password   |\n+---------+-----------+----------------------+\n| olivier | localhost | S0RR73vpVqVPr35QdK&amp;h |\n+---------+-----------+----------------------+<\/code><\/pre>\n\n\n\n<p>We can see the policy is enable for this account with <em><strong>mysql.user<\/strong><\/em> table :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT user, host, Password_require_current, password_last_changed FROM mysql.user WHERE user = 'olivier'\\G\n*************************** 1. row ***************************\n                    user: olivier\n                    host: localhost\nPassword_require_current: Y\n   password_last_changed: 2020-04-03 15:08:00<\/code><\/pre>\n\n\n\n<p>Note that <em><strong>Password_require_current<\/strong><\/em> column is <strong>Y<\/strong>.<\/p>\n\n\n\n\n\n<p>We can test the policy.<br>Connect to the new created account :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \n\\connect olivier@localhost\nCreating a session to 'olivier@localhost'\nPlease provide the password for 'olivier@localhost': ********************<\/code><\/pre>\n\n\n\n<p>Then modify the password :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL olivier SQL> \nALTER USER USER() IDENTIFIED BY 'NEW_P4s5word';\nERROR: 3892: Current password needs to be specified in the REPLACE clause in order to change it.\n\n\nMySQL olivier SQL> \nALTER USER USER() IDENTIFIED BY 'NEW_P4s5word' REPLACE 'S0RR73vpVqVPr35QdK&amp;h';\nQuery OK, 0 rows affected (0.0117 sec)<\/code><\/pre>\n\n\n\n<p>To avoid the <strong><em>error 3892<\/em><\/strong>, we must use the <strong><em>REPLACE<\/em><\/strong> clause and provide the current password.<\/p>\n\n\n\n\n\n<p>Please note that privileged users (users having the global CREATE USER privilege or the UPDATE privilege for the mysql system database) can change any account password without specifying the current password, regardless of the verification-required policy. <\/p>\n\n\n\n<p>In other words, as a DBA privileged user I am able to change someone else password without the <strong><em>REPLACE<\/em><\/strong> clause :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nALTER USER olivier@localhost identified by 's\u00efxS*Zj#&amp;{2Svf}G';\nQuery OK, 0 rows affected (0.0098 sec)<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD REQUIRE CURRENT OPTIONAL<\/h2>\n\n\n\n<p>Do not require that password changes specify the current password (the current password may but need not be given).<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Syntax<\/span>:<br>CREATE USER &lt;user&gt;@&lt;host&gt; PASSWORD REQUIRE CURRENT OPTIONAL;<br>ALTER   USER &lt;user&gt;@&lt;host&gt; PASSWORD REQUIRE CURRENT OPTIONAL;<\/p>\n\n\n\n\n\n<p>Create a user account with a password generated by MySQL and enable the password verification policy but it is not required :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nCREATE USER ethan@localhost IDENTIFIED BY RANDOM PASSWORD PASSWORD REQUIRE CURRENT OPTIONAL;\n+-------+-----------+----------------------+\n| user  | host      | generated password   |\n+-------+-----------+----------------------+\n| ethan | localhost | B6>}Kgbw6;_>85e]U_A&#91; |\n+-------+-----------+----------------------+\n\n\nSELECT user, host, Password_require_current, password_last_changed FROM mysql.user WHERE user = 'ethan'\\G\n*************************** 1. row ***************************\n                    user: ethan\n                    host: localhost\nPassword_require_current: N\n   password_last_changed: 2020-04-03 15:51:53<\/code><\/pre>\n\n\n\n<p>Note that <strong><em>Password_require_current<\/em><\/strong> column is <strong>N<\/strong>.<\/p>\n\n\n\n\n\n<p>We can test the policy.<br>Connect to the new created account :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \n\\connect ethan@localhost\nCreating a session to 'ethan@localhost'\nPlease provide the password for 'ethan@localhost': ********************<\/code><\/pre>\n\n\n\n<p>Then modify the password :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL ethan SQL> \nALTER USER USER() IDENTIFIED BY 'NEW_P4s5word';\nQuery OK, 0 rows affected (0.0147 sec)\n\n\nALTER USER USER() IDENTIFIED BY 'An0th3r_Pa$$word' REPLACE 'NEW_P4s5word';\nQuery OK, 0 rows affected (0.0118 sec)<\/code><\/pre>\n\n\n\n<p>The current password is not required to change the password, well it is\u2026 optional \ud83d\ude42<\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Global policy<\/h2>\n\n\n\n<p>The password verification-required policy is controlled by the <strong><em><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/server-system-variables.html#sysvar_password_require_current\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">password_require_current<\/a><\/em><\/strong> global system variable.<\/p>\n\n\n\n<p>It can be changed online and persisted with <strong><em><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/set-variable.html\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">SET PERSIST<\/a><\/em><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSHOW VARIABLES LIKE 'password_require_current';\n+--------------------------+-------+\n| Variable_name            | Value |\n+--------------------------+-------+\n| password_require_current | OFF   |\n+--------------------------+-------+\n\n\nSET PERSIST password_require_current = ON;\n\n\nSHOW VARIABLES LIKE 'password_require_current';\n+--------------------------+-------+\n| Variable_name            | Value |\n+--------------------------+-------+\n| password_require_current | ON    |\n+--------------------------+-------+<\/code><\/pre>\n\n\n\n<p>An alternative is to write it in the configuration file (usually <strong><em>my.cnf<\/em><\/strong> or <strong><em>my.ini<\/em><\/strong>) and restart the MySQL instance.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;mysqld]\npassword_require_current = ON<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">PASSWORD REQUIRE CURRENT DEFAULT<\/h2>\n\n\n\n<p>Defer to the global password verification-required policy for all accounts named by the statement.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Syntax<\/span>:<br> CREATE USER &lt;user&gt;@&lt;host&gt; PASSWORD REQUIRE CURRENT DEFAULT;<br> ALTER   USER &lt;user&gt;@&lt;host&gt; PASSWORD REQUIRE CURRENT DEFAULT;<\/p>\n\n\n\n\n\n<p>Create a user account where its password verification policy take the global default value set a the instance level :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \nSHOW VARIABLES LIKE 'password_require_current';\n+--------------------------+-------+\n| Variable_name            | Value |\n+--------------------------+-------+\n| password_require_current | ON    |\n+--------------------------+-------+\n\n\nCREATE USER defaultpvrp@localhost IDENTIFIED BY 'p0#' PASSWORD REQUIRE CURRENT DEFAULT;<\/code><\/pre>\n\n\n\n<p>We can test the policy.<br>Connect to the new created account :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> \n\\connect defaultpvrp@localhost\nCreating a session to 'defaultpvrp@localhost'\nPlease provide the password for 'defaultpvrp@localhost': \n...\n\n\nMySQL defaultpvrp SQL> \nALTER USER USER() IDENTIFIED BY 'nEw_P4s5word';\nERROR: 3892: Current password needs to be specified in the REPLACE clause in order to change it.\n\n\nALTER USER USER() IDENTIFIED BY 'nEw_P4s5word' REPLACE 'p0#';\nQuery OK, 0 rows affected (0.0082 sec)<\/code><\/pre>\n\n\n\n<p>Because the global policy enable the <strong>Password Verification-Required Policy<\/strong>, we must use the <strong><em>REPLACE<\/em><\/strong> clause.<\/p>\n\n\n\n\n\n\n\n<h2 class=\"wp-block-heading\">To Go Further<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" class=\"aioseop-link\"><span style=\"text-decoration: underline;\">Olivier&rsquo;s MySQL Channel<\/span><\/a><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/youtu.be\/k4K-scd4oI0\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Establish a policy for password expiration with MySQL\">Establish a policy for password expiration with MySQL<\/a><\/li><li><a href=\"https:\/\/youtu.be\/VND0KvuX7bc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Create users with a random password in MySQL\">Create users with a random password in MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=4z6-dlGT-Mc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Enable restrictions on reuse of previous passwords with MySQL\">Enable restrictions on reuse of previous passwords with MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=1RwlU14TDWk\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Require MySQL users to provide their current password to change it\">Require MySQL users to provide their current password to change it<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=6HO_ciRbiXw\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Temporary Account Locking in MySQL\">Temporary Account Locking in MySQL<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">Reference Manual<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a aria-label=\"Password Verification-Required Policy? (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/password-management.html#password-reverification-policy\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/li><li><a aria-label=\"password_require_current? (opens in a new tab)\" href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/server-system-variables.html#sysvar_password_require_current\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">password_require_current<\/a><\/li><li><a href=\"https:\/\/mysqlserverteam.com\/mysql-8-0-13-change-current-password-policy\/\" target=\"_blank\" aria-label=\"MySQL 8.0.13: Change Current Password Policy (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">MySQL 8.0.13: Change Current Password Policy<\/a><\/li><\/ul>\n\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-security-excerpt\/8.0\/en\/\">Security in MySQL<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-secure-deployment-guide\/8.0\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"MySQL 8.0 Secure Deployment Guide? (opens in a new tab)\">MySQL 8.0 Secure Deployment Guide<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"MySQL 8.0 Reference Manual \u2013 Security (opens in a new tab)\">MySQL 8.0 Reference Manual \u2013 Security<\/a><\/li><\/ul>\n<\/div><\/div>\n\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie &#8211; Password Management<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a aria-label=\"Random Password Generation? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/li><li><a aria-label=\"Password Expiration Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Expiration Policy<\/a><\/li><li><a aria-label=\"Password Reuse Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Reuse Policy<\/a><\/li><li><a aria-label=\"Password Verification-Required Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/li><li><a aria-label=\"Failed-Login Tracking and Temporary Account Locking? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Failed-Login Tracking and Temporary Account Locking<\/a><\/li><li><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\"Dual Password Support (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie<\/span> (1st edition)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/\" target=\"_blank\">Password Validation Plugin<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/\" target=\"_blank\">Password Management<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/\" target=\"_blank\">User Account Locking<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\">The Connection-Control Plugins<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\">Enterprise Audit<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\">Enterprise Transparent Data Encryption (TDE)<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\">Enterprise Firewall<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\">Enterprise Data Masking and De-Identification<\/a> <\/li><\/ul>\n\n\n\n\n\n\n\n<div style=\"height:75px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using MySQL!<\/strong><\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/groups\/12524512\/\" target=\"_blank\" rel=\"noopener\" title=\"Olivier DASINI on Linkedin\">Follow me on Linkedin<\/a><\/p>\n\n\n\n<p>Watch my videos on my <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier's MySQL Channel\">YouTube channel<\/a> and <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\/?sub_confirmation=1\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Subscribe\">subscribe<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/www.slideshare.net\/freshdaz\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Slideshare\">Slideshare account<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/speakerdeck.com\/freshdaz\/\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Speaker Deck\">Speaker Deck account<\/a>.<\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using HeatWave &amp; MySQL!<\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>MySQL 8.0 has introduced an optional behavior that authorize users to change their password only if they could provide the current password.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[203,365,339],"tags":[689,1626,1629,690,367],"class_list":["post-3561","post","type-post","status-publish","format-standard","hentry","category-mysql-en","category-security","category-tuto-en","tag-hipaa","tag-password","tag-password-verification","tag-pci-dss","tag-security"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9LfWW-Vr","jetpack-related-posts":[{"id":3557,"url":"https:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/","url_meta":{"origin":3561,"position":0},"title":"MySQL Security &#8211; Random Password Generation","author":"Olivier DASINI","date":"15 avril 2020","format":false,"excerpt":"MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/VND0KvuX7bc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3567,"url":"https:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/","url_meta":{"origin":3561,"position":1},"title":"MySQL Security &#8211; Dual Password Support","author":"Olivier DASINI","date":"19 mai 2020","format":false,"excerpt":"Dual-password capability makes it possible to seamlessly perform credential changes without downtime.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2136,"url":"https:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/","url_meta":{"origin":3561,"position":2},"title":"MySQL Security \u2013 Password Validation Plugin","author":"Olivier DASINI","date":"1 mars 2018","format":false,"excerpt":"In this article, 1st of a MySQL 5.7 Security series, we will see how to enforce Strong Passwords with Password Validation Plugin when using MySQL 5.7. Authentication with ID and password is a very simple and common (because it\u2019s simple) way to secure the access to a resource, however the\u2026","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3535,"url":"https:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/","url_meta":{"origin":3561,"position":3},"title":"MySQL Security &#8211; Password Reuse Policy","author":"Olivier DASINI","date":"28 avril 2020","format":false,"excerpt":"MySQL provides password-reuse capability, which allows database administrators to determine the number of unique passwords a user must use before they can use an old password again.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/4z6-dlGT-Mc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2156,"url":"https:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/","url_meta":{"origin":3561,"position":4},"title":"MySQL Security \u2013 Password Management","author":"Olivier DASINI","date":"7 mars 2018","format":false,"excerpt":"Some regulations required\u00a0that the password is renewed in a timely and appropriate manner (e.g. every 90 days). In this article, 2nd of the MySQL 5.7 Security series, we will see how to\u00a0to establish a policy for password expiration\u00a0with MySQL 5.7\u00a0Password\u00a0Management.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2177,"url":"https:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/","url_meta":{"origin":3561,"position":5},"title":"MySQL Security &#8211; User Account Locking","author":"Olivier DASINI","date":"14 mars 2018","format":false,"excerpt":"For security reasons some context require you to setup a user account locking policy. Thus an unauthorized user is not able (anymore) to login to the MySQL server. In this 3rd article of the\u00a0MySQL 5.7 Security series, we\u00a0will see how to [un]lock a user account.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/comments?post=3561"}],"version-history":[{"count":25,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3561\/revisions"}],"predecessor-version":[{"id":3717,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3561\/revisions\/3717"}],"wp:attachment":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/media?parent=3561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/categories?post=3561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/tags?post=3561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}