6.4.3 The Password Validation Component密码验证组件

6.4.3.1 Password Validation Component Installation and Uninstallation密码验证组件的安装和卸载
6.4.3.2 Password Validation Options and Variables密码验证选项和变量
6.4.3.3 Transitioning to the Password Validation Component转换到密码验证组件

The validate_password component serves to improve security by requiring account passwords and enabling strength testing of potential passwords. This component exposes system variables that enable you to configure password policy, and status variables for component monitoring.validate_password组件通过要求帐户密码和启用潜在密码的强度测试来提高安全性。此组件公开了系统变量,使您能够配置密码策略,以及用于组件监控的状态变量。

Note注意

In MySQL 8.0, the validate_password plugin was reimplemented as the validate_password component. (For general information about components, see Section 5.5, “MySQL Components”.) 在MySQL 8.0中,validate_password插件被重新实现为validate_password组件。(有关组件的一般信息,请参阅第5.5节,“MySQL组件”。)The following instructions describe how to use the component, not the plugin. 以下说明描述了如何使用组件,而不是插件。For instructions on using the plugin form of validate_password, see The Password Validation Plugin, in MySQL 5.7 Reference Manual.有关使用validate_password插件形式的说明,请参阅MySQL 5.7参考手册中的密码验证插件

The plugin form of validate_password is still available but is deprecated; expect it to be removed in a future version of MySQL. validate_password的插件形式仍然可用,但已被弃用;预计它将在MySQL的未来版本中被删除。MySQL installations that use the plugin should make the transition to using the component instead. 使用该插件的MySQL安装应该过渡到使用该组件。See Section 6.4.3.3, “Transitioning to the Password Validation Component”.请参阅第6.4.3.3节,“转换到密码验证组件”

The validate_password component implements these capabilities:validate_password组件实现了以下功能:

Note注意

For statements that assign or modify account passwords (ALTER USER, CREATE USER, and SET PASSWORD), the validate_password capabilities described here apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. 对于分配或修改帐户密码的语句(ALTER USERCREATE USERSET PASSWORD),这里描述的validate_password功能仅适用于使用身份验证插件的帐户,该插件在MySQL内部存储凭据。For accounts that use plugins that perform authentication against a credentials system external to MySQL, password management must be handled externally against that system as well. 对于使用插件对MySQL外部的凭据系统执行身份验证的帐户,也必须对该系统进行外部密码管理。For more information about internal credentials storage, see Section 6.2.15, “Password Management”.有关内部凭据存储的更多信息,请参阅第6.2.15节,“密码管理”

The preceding restriction does not apply to use of the VALIDATE_PASSWORD_STRENGTH() function because it does not affect accounts directly.上述限制不适用于VALIDATE_PASSWORD_STRENGTH()函数的使用,因为它不会直接影响帐户。

Examples:

To configure password checking, modify the system variables having names of the form validate_password.xxx; these are the parameters that control password policy. 要配置密码检查,请修改名称格式为validate_password.xxx的系统变量;这些是控制密码策略的参数。See Section 6.4.3.2, “Password Validation Options and Variables”.请参阅第6.4.3.2节,“密码验证选项和变量”

If validate_password is not installed, the validate_password.xxx system variables are not available, passwords in statements are not checked, and the VALIDATE_PASSWORD_STRENGTH() function always returns 0. 如果未安装validate_password,则validate_password.xxx系统变量不可用,语句中的密码不被检查,VALIDATE_PASSWORD_STRENGTH()函数始终返回0。For example, without the plugin installed, accounts can be assigned passwords shorter than 8 characters, or no password at all.例如,如果没有安装插件,可以为帐户分配小于8个字符的密码,或者根本没有密码。

Assuming that validate_password is installed, it implements three levels of password checking: LOW, MEDIUM, and STRONG. 假设安装了validate_password,它实现了三个级别的密码检查:LOWMEDIUMSTRONGThe default is MEDIUM; to change this, modify the value of validate_password.policy. 默认值为MEDIUM;要更改此设置,请修改validate_password.policy的值。The policies implement increasingly strict password tests. The following descriptions refer to default parameter values, which can be modified by changing the appropriate system variables.这些政策实施了越来越严格的密码测试。以下描述涉及默认参数值,可以通过更改相应的系统变量来修改这些值。

In addition, validate_password supports the capability of rejecting passwords that match the user name part of the effective user account for the current session, either forward or in reverse. 此外,validate_password支持拒绝与当前会话的有效用户帐户的用户名部分匹配的密码,无论是正向还是反向。To provide control over this capability, validate_password exposes a validate_password.check_user_name system variable, which is enabled by default.为了提供对此功能的控制,validate_password公开了一个默认启用的validate_passwordcheck_user_name系统变量。

6.4.3.1 Password Validation Component Installation and Uninstallation
6.4.3.2 Password Validation Options and Variables
6.4.3.3 Transitioning to the Password Validation Component