{"id":3575,"date":"2020-05-12T08:58:49","date_gmt":"2020-05-12T07:58:49","guid":{"rendered":"http:\/\/dasini.net\/blog\/?p=3575"},"modified":"2020-06-03T08:24:36","modified_gmt":"2020-06-03T07:24:36","slug":"mysql-security-failed-login-tracking-and-temporary-account-locking","status":"publish","type":"post","link":"https:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/","title":{"rendered":"MySQL Security &#8211; Failed-Login Tracking and Temporary Account Locking"},"content":{"rendered":"\n<p>When thinking about security within a MySQL installation, you can consider a wide range of possible procedures \/ best practices and how they affect the security of your MySQL server and related applications. <\/p>\n\n\n\n<p>MySQL provides many tools \/ features \/ plugins or components in order to protect your data including some advanced features like <a aria-label=\"Transparent Data Encryption (TDE) (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Transparent Data Encryption<\/strong> (TDE)<\/a>,&nbsp;<strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Audit<\/a><\/strong>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Data Masking &amp; De-Identification<\/a><\/strong>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Firewall<\/a><\/strong>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/strong>, <a aria-label=\"Password Expiration Policy (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Password Expiration Policy<\/strong><\/a>, <a aria-label=\"Password Reuse Policy (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\"><strong>Password Reuse Policy<\/strong><\/a>, <strong><a aria-label=\" (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/strong>, <strong><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support,<\/a><\/strong> <a aria-label=\"Connection-Control Plugin (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Connection-Control Plugins<\/a>, Password Validation Component, etc\u2026<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png\" alt=\"MySQL Security\"\/><\/figure><\/div>\n<\/div><\/div>\n\n\n\n<p>Basic password policy practices teaches us :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Each user must have a password<\/li><li>A user&rsquo;s password should be changed periodically<\/li><\/ul>\n\n\n\n<p>However, often this is unfortunately not enough.<br>Good news, MySQL 8.0 provide an easy way to increase database security with its <strong>failed-login tracking and temporary account locking<\/strong> feature.<\/p>\n\n\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">TL;DR<\/h3>\n\n\n\n<p class=\"has-text-color has-vivid-cyan-blue-color\">DBA can configure user accounts such that too many consecutive login failures cause temporary account locking.<\/p>\n\n\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Temporary Account Locking in MySQL\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/6HO_ciRbiXw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption>Temporary Account Locking in MySQL<\/figcaption><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n\n\n<p>After a number of consecutive time when the client failed to provide a correct password during a connection attempt, the user account can be temporary locked.<\/p>\n\n\n\n<p>The required number of failures and the lock time are configurable per account, using the <strong><em>FAILED_LOGIN_ATTEMPTS<\/em><\/strong> (track consecutive login failures) and <strong><em>PASSWORD_LOCK_TIME<\/em><\/strong> (how many days to lock the account).<\/p>\n\n\n\n<p>Both are options of the <strong><em>CREATE USER<\/em><\/strong> and <strong><em>ALTER USER<\/em><\/strong> statements.<\/p>\n\n\n\n\n\n<p>Let\u2019s have a quick look using MySQL 8.0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL SQL> SELECT VERSION();\n+-----------+\n| VERSION() |\n+-----------+\n| 8.0.19    |\n+-----------+<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Account lock<\/h2>\n\n\n\n<p>Create a user that would have his account locked for 1 day after 1 consecutive failed logins :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ mysqlsh root@localhost:3306 --sql\n...\n\n\nMySQL localhost:3306 ssl SQL> \nCREATE USER aUser@localhost IDENTIFIED BY 'pAssw0rD' FAILED_LOGIN_ATTEMPTS 1 PASSWORD_LOCK_TIME 1;<\/code><\/pre>\n\n\n\n<p><strong><em>FAILED_LOGIN_ATTEMPTS<\/em><\/strong> : how many consecutive incorrect passwords cause temporary account locking. <br>A value of <strong>0<\/strong> disables the option.<\/p>\n\n\n\n<p><strong><em>PASSWORD_LOCK_TIME<\/em><\/strong> : number of days the account remains locked or <strong><em>UNBOUNDED<\/em><\/strong> (ie the duration of that state does not end until the account is unlocked). <br>A value of <strong>0<\/strong> disables the option.<\/p>\n\n\n\n\n\n<p>We can see the user account details with <strong><em>mysql.user<\/em><\/strong> table :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL> \nSELECT user, host, User_attributes FROM mysql.user WHERE user = 'aUser'\\G\n*************************** 1. row ***************************\n           user: aUser\n           host: localhost\nUser_attributes: {\"Password_locking\": {\"failed_login_attempts\": 1, \"password_lock_time_days\": 1}}<\/code><\/pre>\n\n\n\n<p>If login failed a \u00ab\u00a0<em>FAILED_LOGIN_ATTEMPTS<\/em>\u00a0\u00bb number of time (1 time in this example), the account will be locked :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL> \n\\connect aUser@localhost:3306\nCreating a session to 'aUser@localhost:3306'\nPlease provide the password for 'aUser@localhost:3306': *\nMySQL Error 3955 (HY000): Access denied for user 'aUser'@'localhost'. Account is blocked for 1 day(s) (1 day(s) remaining) due to 1 consecutive failed logins.<\/code><\/pre>\n\n\n\n\n\n<p>Tracking and locking could also be set up after the user creation :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ mysqlsh root@localhost:3306 --sql\n\n\nMySQL localhost:3306 ssl SQL> \nCREATE USER aUser2@localhost IDENTIFIED BY 'Dr0wssAp';\n\n\nALTER USER aUser2@localhost FAILED_LOGIN_ATTEMPTS 2 PASSWORD_LOCK_TIME UNBOUNDED;<\/code><\/pre>\n\n\n\n<p>In this example this user account will be locked (until the account is unlocked &#8211; more on that later) after 2 consecutive failed attempts.<\/p>\n\n\n\n\n\n<p>You can also lock an account explicitly using <strong><em>ACCOUNT LOCK<\/em><\/strong> clause :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL>\nCREATE USER aLockedUser@localhost IDENTIFIED BY RANDOM PASSWORD ACCOUNT LOCK;\n+-------------+-----------+----------------------+\n| user        | host      | generated password   |\n+-------------+-----------+----------------------+\n| aLockedUser | localhost | @.Yp{;ONp7-G62+EfON1 |\n+-------------+-----------+----------------------+<\/code><\/pre>\n\n\n\n<p>In this example I created a user account with a random password generated by MySQL. This account is created locked.<\/p>\n\n\n\n<p>Details are visible with <strong><em>mysql.user<\/em><\/strong> table :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL>\nSELECT user, host, account_locked FROM mysql.user WHERE user = 'aLockedUser';\n+-------------+-----------+----------------+\n| user        | host      | account_locked |\n+-------------+-----------+----------------+\n| aLockedUser | localhost | Y              |\n+-------------+-----------+----------------+<\/code><\/pre>\n\n\n\n<p>Any connection to this account will raised <strong><em>error 3118<\/em><\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL>\n\\connect aLockedUser@localhost:3306 \nCreating a session to 'aLockedUser@localhost:3306'\nPlease provide the password for 'aLockedUser@localhost:3306': ********************\nMySQL Error 3118 (HY000): Access denied for user 'aLockedUser'@'localhost'. Account is locked.<\/code><\/pre>\n\n\n\n<p>This account can be activate with something like :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL> \nALTER USER aLockedUser@localhost ACCOUNT UNLOCK FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME UNBOUNDED;<\/code><\/pre>\n\n\n\n<p>Again <strong><em>mysql.user<\/em><\/strong> table will give you some information :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL> \nSELECT user, host, account_locked, User_attributes FROM mysql.user WHERE user = 'aLockedUser'\\G\n*************************** 1. row ***************************\n           user: aLockedUser\n           host: localhost\n account_locked: N\nUser_attributes: {\"Password_locking\": {\"failed_login_attempts\": 5, \"password_lock_time_days\": -1}}<\/code><\/pre>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Account unlock<\/h2>\n\n\n\n<p>Account can be unlocked with an <strong><em>ALTER USER<\/em><\/strong> \u2026 <strong><em>ACCOUNT UNLOCK<\/em><\/strong> statement :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MySQL localhost:3306 ssl SQL>\n\\connect aUser@localhost:3306\nCreating a session to 'aUser@localhost:3306'\nPlease provide the password for 'aUser@localhost:3306': \nMySQL Error 3955 (HY000): Access denied for user 'aUser'@'localhost'. Account is blocked for unlimited day(s) (unlimited day(s) remaining) due to 2 consecutive failed logins.\n\n\nALTER USER aUser@localhost ACCOUNT UNLOCK;\nQuery OK, 0 rows affected (0.0047 sec)\n\n\n\\connect aUser@localhost:3306\nCreating a session to 'aUser@localhost:3306'\nPlease provide the password for 'aUser@localhost:3306': ********\nClosing old connection...\nYour MySQL connection id is 63\n...\nSELECT USER();\n+-----------------+\n| USER()          |\n+-----------------+\n| aUser@localhost |\n+-----------------+\n<\/code><\/pre>\n\n\n\n\n\n<p>Other possibilities to unlock an account are :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Execution of an ALTER USER statement for the account that sets either FAILED_LOGIN_ATTEMPTS or PASSWORD_LOCK_TIME (or both) to any value.<br>e.g.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ALTER USER aUser@localhost FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1;<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Obviously when the lock duration passes.<br>In this case, failed-login counting resets at the time of the next login attempt.<\/li><li>Execution of <strong><em>FLUSH PRIVILEGES<\/em><\/strong><\/li><li>A server restart<\/li><\/ul>\n\n\n\n\n\n\n\n<h2 class=\"wp-block-heading\">To Go Further<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" class=\"aioseop-link\"><span style=\"text-decoration: underline;\">Olivier&rsquo;s MySQL Channel<\/span><\/a><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/youtu.be\/k4K-scd4oI0\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Establish a policy for password expiration with MySQL\">Establish a policy for password expiration with MySQL<\/a><\/li><li><a href=\"https:\/\/youtu.be\/VND0KvuX7bc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Create users with a random password in MySQL\">Create users with a random password in MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=4z6-dlGT-Mc\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Enable restrictions on reuse of previous passwords with MySQL\">Enable restrictions on reuse of previous passwords with MySQL<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=1RwlU14TDWk\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Require MySQL users to provide their current password to change it\">Require MySQL users to provide their current password to change it<\/a><\/li><li><a href=\"https:\/\/www.youtube.com\/watch?v=6HO_ciRbiXw\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Temporary Account Locking in MySQL\">Temporary Account Locking in MySQL<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">Reference Manual<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/password-management.html#failed-login-tracking\" target=\"_blank\" aria-label=\"Failed-Login Tracking and Temporary Account Locking (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Failed-Login Tracking and Temporary Account Locking<\/a><\/li><\/ul>\n\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-security-excerpt\/8.0\/en\/\">Security in MySQL<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/mysql-secure-deployment-guide\/8.0\/en\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"MySQL 8.0 Secure Deployment Guide? (opens in a new tab)\">MySQL 8.0 Secure Deployment Guide<\/a><\/li><li><a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"MySQL 8.0 Reference Manual \u2013 Security (opens in a new tab)\">MySQL 8.0 Reference Manual \u2013 Security<\/a><\/li><\/ul>\n<\/div><\/div>\n\n\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie &#8211; Password Management<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a aria-label=\"Random Password Generation? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Random Password Generation<\/a><\/li><li><a aria-label=\"Password Expiration Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Expiration Policy<\/a><\/li><li><a aria-label=\"Password Reuse Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Reuse Policy<\/a><\/li><li><a aria-label=\"Password Verification-Required Policy? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/05\/mysql-security-password-verification-required-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Password Verification-Required Policy<\/a><\/li><li><a aria-label=\"Failed-Login Tracking and Temporary Account Locking? (opens in a new tab)\" href=\"http:\/\/dasini.net\/blog\/2020\/05\/12\/mysql-security-failed-login-tracking-and-temporary-account-locking\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Failed-Login Tracking and Temporary Account Locking<\/a><\/li><li><a href=\"http:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/\" target=\"_blank\" aria-label=\"Dual Password Support (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"aioseop-link\">Dual Password Support<\/a><\/li><\/ul>\n\n\n<\/div><\/div>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">MySQL Security Serie<\/span> (1st edition)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/01\/mysql-security-password-validation-plugin\/\" target=\"_blank\">Password Validation Plugin<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/\" target=\"_blank\">Password Management<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/\" target=\"_blank\">User Account Locking<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/03\/29\/mysql-security-the-connection-control-plugins\/\" target=\"_blank\">The Connection-Control Plugins<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/04\/mysql-security-mysql-enterprise-audit\/\" target=\"_blank\">Enterprise Audit<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/10\/mysql-security-mysql-enterprise-transparent-data-encryption\/\" target=\"_blank\">Enterprise Transparent Data Encryption (TDE)<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2018\/04\/16\/mysql-security-mysql-enterprise-firewall\/\" target=\"_blank\">Enterprise Firewall<\/a><\/li><li> <a rel=\"noreferrer noopener\" href=\"http:\/\/dasini.net\/blog\/2019\/03\/19\/mysql-security-mysql-enterprise-data-masking-and-de-identification\/\" target=\"_blank\">Enterprise Data Masking and De-Identification<\/a> <\/li><\/ul>\n\n\n\n\n\n\n\n<div style=\"height:75px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using MySQL!<\/strong><\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/groups\/12524512\/\" target=\"_blank\" rel=\"noopener\" title=\"Olivier DASINI on Linkedin\">Follow me on Linkedin<\/a><\/p>\n\n\n\n<p>Watch my videos on my <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier's MySQL Channel\">YouTube channel<\/a> and <a href=\"https:\/\/www.youtube.com\/channel\/UC12TulyJsJZHoCmby3Nm3WQ\/?sub_confirmation=1\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Subscribe\">subscribe<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/www.slideshare.net\/freshdaz\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Slideshare\">Slideshare account<\/a>.<\/p>\n\n\n\n<p>My <a href=\"https:\/\/speakerdeck.com\/freshdaz\/\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"Olivier DASINI on Speaker Deck\">Speaker Deck account<\/a>.<\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>Thanks for using HeatWave &amp; MySQL!<\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DBA can configure user accounts such that too many consecutive login failures cause temporary account locking.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[203,365,339],"tags":[689,690,367,379],"class_list":["post-3575","post","type-post","status-publish","format-standard","hentry","category-mysql-en","category-security","category-tuto-en","tag-hipaa","tag-pci-dss","tag-security","tag-user-account-locking"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9LfWW-VF","jetpack-related-posts":[{"id":2177,"url":"https:\/\/dasini.net\/blog\/2018\/03\/14\/mysql-security-user-account-locking\/","url_meta":{"origin":3575,"position":0},"title":"MySQL Security &#8211; User Account Locking","author":"Olivier DASINI","date":"14 mars 2018","format":false,"excerpt":"For security reasons some context require you to setup a user account locking policy. Thus an unauthorized user is not able (anymore) to login to the MySQL server. In this 3rd article of the\u00a0MySQL 5.7 Security series, we\u00a0will see how to [un]lock a user account.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3557,"url":"https:\/\/dasini.net\/blog\/2020\/04\/15\/mysql-security-random-password-generation\/","url_meta":{"origin":3575,"position":1},"title":"MySQL Security &#8211; Random Password Generation","author":"Olivier DASINI","date":"15 avril 2020","format":false,"excerpt":"MySQL has the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/VND0KvuX7bc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3567,"url":"https:\/\/dasini.net\/blog\/2020\/05\/19\/mysql-security-dual-password-support\/","url_meta":{"origin":3575,"position":2},"title":"MySQL Security &#8211; Dual Password Support","author":"Olivier DASINI","date":"19 mai 2020","format":false,"excerpt":"Dual-password capability makes it possible to seamlessly perform credential changes without downtime.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3535,"url":"https:\/\/dasini.net\/blog\/2020\/04\/28\/mysql-security-password-reuse-policy\/","url_meta":{"origin":3575,"position":3},"title":"MySQL Security &#8211; Password Reuse Policy","author":"Olivier DASINI","date":"28 avril 2020","format":false,"excerpt":"MySQL provides password-reuse capability, which allows database administrators to determine the number of unique passwords a user must use before they can use an old password again.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/4z6-dlGT-Mc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2156,"url":"https:\/\/dasini.net\/blog\/2018\/03\/07\/mysql-security-password-management\/","url_meta":{"origin":3575,"position":4},"title":"MySQL Security \u2013 Password Management","author":"Olivier DASINI","date":"7 mars 2018","format":false,"excerpt":"Some regulations required\u00a0that the password is renewed in a timely and appropriate manner (e.g. every 90 days). In this article, 2nd of the MySQL 5.7 Security series, we will see how to\u00a0to establish a policy for password expiration\u00a0with MySQL 5.7\u00a0Password\u00a0Management.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"MySQL Security","src":"https:\/\/i0.wp.com\/dasini.net\/blog\/wp-content\/uploads\/MySQL_DB_Lock2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3508,"url":"https:\/\/dasini.net\/blog\/2020\/04\/21\/mysql-security-password-expiration-policy\/","url_meta":{"origin":3575,"position":5},"title":"MySQL Security \u2013 Password Expiration Policy","author":"Olivier DASINI","date":"21 avril 2020","format":false,"excerpt":"MySQL provides password-expiration capability, which enables database administrators to require that users reset their password.","rel":"","context":"Dans &quot;MySQL&quot;","block_context":{"text":"MySQL","link":"https:\/\/dasini.net\/blog\/category\/mysql-en\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/k4K-scd4oI0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/comments?post=3575"}],"version-history":[{"count":24,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3575\/revisions"}],"predecessor-version":[{"id":3738,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/posts\/3575\/revisions\/3738"}],"wp:attachment":[{"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/media?parent=3575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/categories?post=3575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dasini.net\/blog\/wp-json\/wp\/v2\/tags?post=3575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}