The validate_password
component serves to improve security by requiring account passwords and enabling strength testing of potential passwords. This component exposes system variables that enable you to configure password policy, and status variables for component monitoring.validate_password
组件通过要求帐户密码和启用潜在密码的强度测试来提高安全性。此组件公开了系统变量,使您能够配置密码策略,以及用于组件监控的状态变量。
In MySQL 8.0, the 在MySQL 8.0中,validate_password
plugin was reimplemented as the validate_password
component. (For general information about components, see Section 5.5, “MySQL Components”.) validate_password
插件被重新实现为validate_password
组件。(有关组件的一般信息,请参阅第5.5节,“MySQL组件”。)The following instructions describe how to use the component, not the plugin. 以下说明描述了如何使用组件,而不是插件。For instructions on using the plugin form of 有关使用validate_password
, see The Password Validation Plugin, in MySQL 5.7 Reference Manual.validate_password
插件形式的说明,请参阅MySQL 5.7参考手册中的密码验证插件。
The plugin form of validate_password
is still available but is deprecated; expect it to be removed in a future version of MySQL. validate_password
的插件形式仍然可用,但已被弃用;预计它将在MySQL的未来版本中被删除。MySQL installations that use the plugin should make the transition to using the component instead. 使用该插件的MySQL安装应该过渡到使用该组件。See Section 6.4.3.3, “Transitioning to the Password Validation Component”.请参阅第6.4.3.3节,“转换到密码验证组件”。
The validate_password
component implements these capabilities:validate_password
组件实现了以下功能:
For SQL statements that assign a password supplied as a cleartext value, 对于将密码指定为明文值的SQL语句,validate_password
checks the password against the current password policy and rejects the password if it is weak (the statement returns an ER_NOT_VALID_PASSWORD
error). validate_password
会根据当前密码策略检查密码,如果密码较弱,则拒绝该密码(该语句返回ER_NOT_VALID_PASSWORD
错误)。This applies to the ALTER USER
, CREATE USER
, and SET PASSWORD
statements.
For 对于CREATE USER
statements, validate_password
requires that a password be given, and that it satisfies the password policy. CREATE USER
语句,validate_password
要求提供密码,并且该密码满足密码策略。This is true even if an account is locked initially because otherwise unlocking the account later would cause it to become accessible without a password that satisfies the policy.即使帐户最初被锁定,这也是正确的,因为否则稍后解锁帐户会导致它在没有满足策略的密码的情况下变得可访问。
validate_password
implements a VALIDATE_PASSWORD_STRENGTH()
SQL function that assesses the strength of potential passwords. validate_password
实现了一个VALIDATE_PASSWORD_STRENGTH()
SQL函数,用于评估潜在密码的强度。This function takes a password argument and returns an integer from 0 (weak) to 100 (strong).此函数接受密码参数,并返回一个从0(弱)到100(强)的整数。
For statements that assign or modify account passwords (对于分配或修改帐户密码的语句(ALTER USER
, CREATE USER
, and SET PASSWORD
), the validate_password
capabilities described here apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. ALTER USER
、CREATE USER
和SET PASSWORD
),这里描述的validate_password
功能仅适用于使用身份验证插件的帐户,该插件在MySQL内部存储凭据。For accounts that use plugins that perform authentication against a credentials system external to MySQL, password management must be handled externally against that system as well. 对于使用插件对MySQL外部的凭据系统执行身份验证的帐户,也必须对该系统进行外部密码管理。For more information about internal credentials storage, see Section 6.2.15, “Password Management”.有关内部凭据存储的更多信息,请参阅第6.2.15节,“密码管理”。
The preceding restriction does not apply to use of the 上述限制不适用于VALIDATE_PASSWORD_STRENGTH()
function because it does not affect accounts directly.VALIDATE_PASSWORD_STRENGTH()
函数的使用,因为它不会直接影响帐户。
Examples:
validate_password
checks the cleartext password in the following statement. Under the default password policy, which requires passwords to be at least 8 characters long, the password is weak and the statement produces an error:validate_password
在以下语句中检查明文密码。在默认密码策略下,要求密码长度至少为8个字符,密码很弱,语句会产生错误:
mysql> ALTER USER USER() IDENTIFIED BY 'abc';
ERROR 1819 (HY000): Your password does not satisfy the current
policy requirements
Passwords specified as hashed values are not checked because the original password value is not available for checking:指定为哈希值的密码不会被检查,因为原始密码值不可用于检查:
mysql>ALTER USER 'jeffrey'@'localhost'
IDENTIFIED WITH mysql_native_password
AS '*0D3CED9BEC10A777AEC23CCC353A8C08A633045E';
Query OK, 0 rows affected (0.01 sec)
This account-creation statement fails, even though the account is locked initially, because it does not include a password that satisfies the current password policy:即使帐户最初被锁定,此帐户创建语句也会失败,因为它不包含满足当前密码策略的密码:
mysql> CREATE USER 'juanita'@'localhost' ACCOUNT LOCK;
ERROR 1819 (HY000): Your password does not satisfy the current
policy requirements
To check a password, use the 要检查密码,请使用VALIDATE_PASSWORD_STRENGTH()
function:VALIDATE_PASSWORD_STRENGTH()
函数:
mysql>SELECT VALIDATE_PASSWORD_STRENGTH('weak');
+------------------------------------+ | VALIDATE_PASSWORD_STRENGTH('weak') | +------------------------------------+ | 25 | +------------------------------------+ mysql>SELECT VALIDATE_PASSWORD_STRENGTH('lessweak$_@123');
+----------------------------------------------+ | VALIDATE_PASSWORD_STRENGTH('lessweak$_@123') | +----------------------------------------------+ | 50 | +----------------------------------------------+ mysql>SELECT VALIDATE_PASSWORD_STRENGTH('N0Tweak$_@123!');
+----------------------------------------------+ | VALIDATE_PASSWORD_STRENGTH('N0Tweak$_@123!') | +----------------------------------------------+ | 100 | +----------------------------------------------+
To configure password checking, modify the system variables having names of the form 要配置密码检查,请修改名称格式为validate_password.
; these are the parameters that control password policy. xxx
validate_password.xxx
的系统变量;这些是控制密码策略的参数。See Section 6.4.3.2, “Password Validation Options and Variables”.请参阅第6.4.3.2节,“密码验证选项和变量”。
If 如果未安装validate_password
is not installed, the validate_password.
system variables are not available, passwords in statements are not checked, and the xxx
VALIDATE_PASSWORD_STRENGTH()
function always returns 0. validate_password
,则validate_password.xxx
系统变量不可用,语句中的密码不被检查,VALIDATE_PASSWORD_STRENGTH()
函数始终返回0。For example, without the plugin installed, accounts can be assigned passwords shorter than 8 characters, or no password at all.例如,如果没有安装插件,可以为帐户分配小于8个字符的密码,或者根本没有密码。
Assuming that 假设安装了validate_password
is installed, it implements three levels of password checking: LOW
, MEDIUM
, and STRONG
. validate_password
,它实现了三个级别的密码检查:LOW
、MEDIUM
和STRONG
。The default is 默认值为MEDIUM
; to change this, modify the value of validate_password.policy
. MEDIUM
;要更改此设置,请修改validate_password.policy
的值。The policies implement increasingly strict password tests. The following descriptions refer to default parameter values, which can be modified by changing the appropriate system variables.这些政策实施了越来越严格的密码测试。以下描述涉及默认参数值,可以通过更改相应的系统变量来修改这些值。
LOW
policy tests password length only. LOW
策略仅测试密码长度。Passwords must be at least 8 characters long. To change this length, modify 密码长度必须至少为8个字符。要更改此长度,请修改validate_password.length
.validate_password.length
。
MEDIUM
policy adds the conditions that passwords must contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character. MEDIUM
策略添加了密码必须至少包含1个数字字符、1个小写字符、1个中大写字符和1个特殊(非字母数字)字符的条件。To change these values, modify 要更改这些值,请修改validate_password.number_count
, validate_password.mixed_case_count
, and validate_password.special_char_count
.validate_passwordnumber_count
、validate_passwardmixed_case_count
和validate_password.special_char_count
。
STRONG
policy adds the condition that password substrings of length 4 or longer must not match words in the dictionary file, if one has been specified. STRONG
策略添加了一个条件,即长度为4或更长的密码子字符串不得与词典文件中的单词匹配(如果已指定)。To specify the dictionary file, modify 要指定词典文件,请修改validate_password.dictionary_file
.validate_passworddictionary_file
。
In addition, 此外,validate_password
supports the capability of rejecting passwords that match the user name part of the effective user account for the current session, either forward or in reverse. validate_password
支持拒绝与当前会话的有效用户帐户的用户名部分匹配的密码,无论是正向还是反向。To provide control over this capability, 为了提供对此功能的控制,validate_password
exposes a validate_password.check_user_name
system variable, which is enabled by default.validate_password
公开了一个默认启用的validate_passwordcheck_user_name
系统变量。