MySQL Passwords have evolved with versions 5.6 and 5.7 and we now have ways to ensure strength and expiration. There are some ‘tinker toy’s missing that keep it from being a complete system.
We do have a way of expiring passwords and forcing a user to change their password. But there is now way for the database to warn users that their password is about to expire or has expired. There is no way to check to see if if user changed their password and then changed it back to their ol’ favorite. There is no way to see when the password was changed last or any time before. There is no way to force these changes every X period or make sure some accounts do not change (root, accounts used for applications). Now of this is extremely complex to create and over a few blog posts, you will get a chance to help design such a system.
But for now we have to determine some items are engineered such as do we keep users from reusing passwords (and for how long)? Do we note changes someplace (SYSLOG, table)? Can we use the new password dictionary to block easy to guess passwords? How much warning do we give for changes and what do we gather for management reporting? Should we ad tables to the mysql database or create something new? I know the MySQL Community is not shy so please share your views. So sound off! Let me know your views (or needs) and we get something roughed out logically next time.