How can I use the validate_password plugin to improve the security of my Amazon RDS for MySQL DB instance?

5 minute read
0

I have an Amazon Relational Database Service (Amazon RDS) DB instance that runs MySQL. I want to use the validate_password plugin to test my passwords and improve the security of my DB instance.

Short description

MySQL provides a validate_password plugin that you can use to improve the security of an RDS for MySQL DB instance. The plugin uses parameters in the DB parameter group for your DB instance to enforce password policies. The plugin is supported for DB instances that run MySQL versions 5.7 and 8.0.

Note: The validate_password plugin is a plugin and isn't a part of the default MySQL configuration. When Amazon RDS creates a MySQL DB instance, the plugin isn't installed by default.

Resolution

Turn on the validate_password plugin for RDS for MySQL DB instance

Use the lead user to connect to the RDS for MySQL DB instance and run the following command:

MySQL [(none)]> INSTALL PLUGIN validate_password SONAME 'validate_password.so';

This installs the validate_password plugin, and then runs the plugin with the default parameter values.

Verify that validate_password plugin is installed and active on the RDS for MySQL DB instance

Run the following query on your DB instance to check the status of the validate_password plugin:

MySQL [(none)]> SELECT plugin_name, plugin_status, 
plugin_type, plugin_library FROM information_schema.plugins WHERE 
plugin_name='validate_password';

    +-------------------+---------------+-------------------+----------------------+
    | plugin_name       | plugin_status | plugin_type       | plugin_library       |
    +-------------------+---------------+-------------------+----------------------+
    | validate_password | ACTIVE        | VALIDATE PASSWORD | validate_password.so |
    +-------------------+---------------+-------------------+----------------------+

Check default values for the validate_password plugin

Run the following query to check the default parameter values for the plugin:

MySQL [(none)]> SHOW GLOBAL VARIABLES LIKE 'validate_password%';

Here are the descriptions of each parameter:

validate_password_check_user_name

  • Value - OFF
  • Description - blank

validate_password_dictionary_file

  • Value - blank
  • Description - blank

validate_password_length

  • Value - 8
  • Description - Minimum password length

validate_password_mixed_case_count

  • Value - 1
  • Description - Require passwords to have upper and lower case characters

validate_password_number_count

  • Value - 1
  • Description - Require passwords to have at least one number

validate_password_policy

  • Value - MEDIUM
  • Description - The settings group label

validate_password_special_char_count

  • Value - 1
  • Description - Require passwords to have at least one special character

Configure these parameters in the custom DB parameter group your DB instance uses, except for validate_password_dictionary_file and validate_password_check_user_name. If your DB instance uses the default parameter group, create a new parameter group, and then attach it to the DB instance. This is because you can't modify the parameter settings of a default parameter group. For more information, see Working with parameter groups.

Note: Amazon RDS doesn't validate passwords. If you use any of the following to set a user password, then the change succeeds regardless of your password policies:

  • The AWS Management Console
  • The AWS Command Line Interface (AWS CLI) modify-db-instance command
  • The Amazon RDS API ModifyDBInstance operation

Reset existing passwords and create a policy compliant password

After you install and turn on the password_validate plugin, reset your existing passwords to comply with your new validation policies.

1.    Test the password_validate plugin that's installed on your DB instance. Use the default plugin parameters previously listed to create a new DB user:

MySQL [(none)]> CREATE USER 'USER123'@'%' identified by 'password';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

Because validate_password_policy is set to MEDIUM, the password must satisfy the criteria that's described in the MySQL validate_password_policy documentation. In the preceding example, the CREATE USER command fails because it doesn't satisfy the password policy. You receive an error message similar to the following:

"Your password does not satisfy the current policy requirements."

2.    Run the following command to create a user with a password that satisfies the password policy:

MySQL [(none)]> CREATE USER 'USER123'@'%' identified by 'Password@57';
Query OK, 0 rows affected (0.01 sec)

3.    To verify that you created the user successfully, run the following command:

MySQL [(none)]> SELECT user, host FROM mysql.user WHERE ( user='USER123' AND host='%' );
+-------------------+------+
| user              | host |
+-------------------+------+
| validate_password | %    |
+-------------------+------+
1 row in set (0.00 sec)

4.    To change the password of the existing user, run the following command. Use a policy compliant password, as shown in the following example:

mysql> alter user 'USER123'@'%' identified by 'Password@2020';
Query OK, 0 rows affected (0.01 sec)

To learn more about resetting passwords for an existing user, see How to reset the root password (on the MySQL website).

Turn off the validate_password plugin for RDS MySQL DB instance

MySQL [(none)]> UNINSTALL PLUGIN validate_password;

Related information

Using the Password Validation plugin for RDS for MySQL

The Password Validation plugin in the MySQL documentation

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago