MySQL 8.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr)- 41.6Mb
PDF (A4)- 41.7Mb
Man Pages (TGZ)- 262.2Kb
Man Pages (Zip)- 372.3Kb
Info (Gzip)- 4.0Mb
Info (Zip)- 4.0Mb
Excerpts from this Manual

6.4.3 The Password Validation Component

Thevalidate_passwordcomponent serves to improve security by requiring account passwords and enabling strength testing of potential passwords. This component exposes system variables that enable you to configure password policy, and status variables for component monitoring.


In MySQL 8.0, thevalidate_passwordplugin was reimplemented as thevalidate_passwordcomponent. (For general information about components, seeSection 5.5, “MySQL Components”.) The following instructions describe how to use the component, not the plugin. For instructions on using the plugin form ofvalidate_password, seeThe Password Validation Plugin, inMySQL 5.7 Reference Manual.

The plugin form ofvalidate_passwordis still available but is deprecated; expect it to be removed in a future version of MySQL. MySQL installations that use the plugin should make the transition to using the component instead. SeeSection, “Transitioning to the Password Validation Component”.

Thevalidate_passwordcomponent implements these capabilities:

  • For SQL statements that assign a password supplied as a cleartext value,validate_passwordchecks the password against the current password policy and rejects the password if it is weak (the statement returns anER_NOT_VALID_PASSWORDerror). This applies to theALTER USER,CREATE USER, andSET PASSWORDstatements.

  • ForCREATE USERstatements,validate_passwordrequires that a password be given, and that it satisfies the password policy. This is true even if an account is locked initially because otherwise unlocking the account later would cause it to become accessible without a password that satisfies the policy.

  • validate_passwordimplements aVALIDATE_PASSWORD_STRENGTH()SQL function that assesses the strength of potential passwords. This function takes a password argument and returns an integer from 0 (weak) to 100 (strong).


For statements that assign or modify account passwords (ALTER USER,CREATE USER, andSET PASSWORD), thevalidate_passwordcapabilities described here apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. For accounts that use plugins that perform authentication against a credentials system external to MySQL, password management must be handled externally against that system as well. For more information about internal credentials storage, seeSection 6.2.15, “Password Management”.

The preceding restriction does not apply to use of theVALIDATE_PASSWORD_STRENGTH()function because it does not affect accounts directly.


  • validate_passwordchecks the cleartext password in the following statement. Under the default password policy, which requires passwords to be at least 8 characters long, the password is weak and the statement produces an error:

    mysql> ALTER USER USER() IDENTIFIED BY 'abc'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
  • Passwords specified as hashed values are not checked because the original password value is not available for checking:

    mysql> ALTER USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password AS '*0D3CED9BEC10A777AEC23CCC353A8C08A633045E'; Query OK, 0 rows affected (0.01 sec)
  • This account-creation statement fails, even though the account is locked initially, because it does not include a password that satisfies the current password policy:

    mysql> CREATE USER 'juanita'@'localhost' ACCOUNT LOCK; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
  • To check a password, use theVALIDATE_PASSWORD_STRENGTH()function:

    mysql> SELECT VALIDATE_PASSWORD_STRENGTH('weak'); +------------------------------------+ | VALIDATE_PASSWORD_STRENGTH('weak') | +------------------------------------+ | 25 | +------------------------------------+ mysql> SELECT VALIDATE_PASSWORD_STRENGTH('lessweak$_@123'); +----------------------------------------------+ | VALIDATE_PASSWORD_STRENGTH('lessweak$_@123') | +----------------------------------------------+ | 50 | +----------------------------------------------+ mysql> SELECT VALIDATE_PASSWORD_STRENGTH('N0Tweak$_@123!'); +----------------------------------------------+ | VALIDATE_PASSWORD_STRENGTH('N0Tweak$_@123!') | +----------------------------------------------+ | 100 | +----------------------------------------------+

To configure password checking, modify the system variables having names of the formvalidate_password.xxx; these are the parameters that control password policy. SeeSection, “Password Validation Options and Variables”.

Ifvalidate_passwordis not installed, thevalidate_password.xxxsystem variables are not available, passwords in statements are not checked, and theVALIDATE_PASSWORD_STRENGTH()function always returns 0. For example, without the plugin installed, accounts can be assigned passwords shorter than 8 characters, or no password at all.

Assuming thatvalidate_passwordis installed, it implements three levels of password checking:LOW,MEDIUM, andSTRONG. The default isMEDIUM; to change this, modify the value ofvalidate_password.policy. The policies implement increasingly strict password tests. The following descriptions refer to default parameter values, which can be modified by changing the appropriate system variables.

In addition,validate_passwordsupports the capability of rejecting passwords that match the user name part of the effective user account for the current session, either forward or in reverse. To provide control over this capability,validate_passwordexposes avalidate_password.check_user_namesystem variable, which is enabled by default.