More MySQL Password Expiration


MySQL Passwords have evolved with versions 5.6 and 5.7 and we now have ways to ensure strength and expiration. There are some ‘tinker toy’s missing that keep it from being a complete system.

We do have a way of expiring passwords and forcing a user to change their password. But there is now way for the database to warn users that their password is about to expire or has expired. There is no way to check to see if if user changed their password and then changed it back to their ol’ favorite. There is no way to see when the password was changed last or any time before. There is no way to force these changes every X period or make sure some accounts do not change (root, accounts used for applications). Now of this is extremely complex to create and over a few blog posts, you will get a chance to help design such a system.

But for now we have to determine some items are engineered such as do we keep users from reusing passwords (and for how long)? Do we note changes someplace (SYSLOG, table)? Can we use the new password dictionary to block easy to guess passwords? How much warning do we give for changes and what do we gather for management reporting? Should we ad tables to the mysql database or create something new? I know the MySQL Community is not shy so please share your views. So sound off! Let me know your views (or needs) and we get something roughed out logically next time.

One Response to More MySQL Password Expiration

  1. Forcing a password change too often can do a lot of harm, then users will simply add a number/letter for the month to the password or pick weak passwords. Some of the password validation parts could/should be plugin based to make them easy swappable and OS dependent (cracklib). A plugin based system might also make it possible to update LDAP/AD/PAM passwords from within MySQL and get the expiry status. Previous password hashes could be stored in a table (along with the username) and then be used to check if a password was used before. And It is common to not change root and app users passwords, but that’s not a good practice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s