Security: MySQL Password Validation Plugin


Password is be like the words, numbers and string of characters. On database and server side, the username and password were should needed for certain access. The password should be structured and security based.

In this section we are going to take a elaborate view on validate_password plugin in MySQL.  We have seen about audit_plugin earlier.

Activation and Installation:

Below mentioned steps are helps to activate the plugin “validate_password” in MySQL server. The validate plugin is present in plugin directory you were able to see the soname like “”. ( I have used MySQL 5.7 here )



After confirmation the file, we have two more steps for activate the plugin.

Step 1:

We need to load the plugin  for activation in the config file ( my.cnf) . The variable “plugin-load” is helpful for perform that activity. In yours config file just notify the values like below,


Here the variable “plugin-load” is used to load the .so file. The variable “validate-password” is used to tells the server to load the plugin at startup and prevents the plugin from being removed while the server is running.

Step 2:

We have to activate the plugin using the below inside mysql


INSTALL plugin name SONAME ‘.so file name’;



Now, the Plugin is Successfully installed into the MySQL server.



The file must be inside the plugin directory. But it comes by default.

What is “validate-password”?

 From above, we know validate-password is a variable it used to tells the server for startup the validate_password plugin. Yet, below mentioned example is used to deeply understand about the variable ‘validate-password’.

In config file to make it mandatory on restarts.


In MySQL server,


We enabled the variable “validate-password” in config file, and try to uninstall the plugin. But it wont allow unloading or uninstall as we have enabled “force_plus_permanent”.

If you need to uninstall the plugin just remove the variable (validate-password) from config file and restart MySQ: servers.

Plugin Variables:

Plugin variables are used to modify or perform the plugin operations. Below mentioned variables are used to perform the operations in validate_password plugin.



We have three policies. The policies are define the password strength. We have set the policies as global.

i)   LOW


iii) HIGH


It defines the password length. In LOW we have fixed the password length validations , it won’t validate use of any special characters, numbers & uppercases in password.

Limitations – LOW:


Password length can be started from a minimum (1).


From MEDIUM we are able to make a perfect and well secured password. We can use  special characters, numbers, mixed cases. So the password can be a strong one.

 Limitations – MEDIUM:


From here, we can increase all the variable as per needed.


From policy HIGH, we are able to use dictionary file. Dictionary file is used to store the password. Remaining options are same as  policy MEDIUM.

Limitations – HIGH:



This option is only available in HIGH policy. Here we have used the dictionary file. Dictionary file contains words.

How to enable dictionary file?

We have enable it in the config file by using the variable “validate_password_dictionary_file”. Below screenshot describes that.


After set this variable in config file just restart the server.

   i.   During password checking the password policy must be HIGH.

  ii.   The  words in dictionary file should be mentioned line by line.

 iii.  The words in dictionary file should have LOWER case only.

 iv.   The maximum size of the file is 1MB. While comparison, each and every substring of the password was compared to the words mentioned inside of dictionary file.

v.   The comparison is not case sensitive.


 This is the variable which used to decide the password length in the server. We can set the   password length by globally.



Now, If we need to set any password in server, it must be have 10 characters, If it is not satisfy the password length it gives the error.

For example,


It should accept only 10 character password.


Now it is working with 10 characters. 


This variable mixed_case_count denotes denotes the UPPER  case availability in password.


Current variable value,


So, the current value is 1, it says, the password must have a single UPPER case value.


From this example, At first we execute the script without any UPPER cases, The plugin rejects the Script. Because we need a single upper case value. After that we execute the script with a single UPPER case, it be a done.

Note : We can perform this variable in MEDIUM or HIGH policies only.


This is the variable, which used to fix the integer availability in password.


Current value of the variable is,


So, the password too contains two numbers, otherwise it will be rejected.


Here, At first the script is executed with single number, so it was rejected, after that, the script executed with two numbers, it was accepted.

Note : We can perform this variable in MEDIUM or HIGH policies only.


This variable is used to fix the number of special characters (!@#$%^&*) availability in password.


Current value of the variable is,



From example, The plugin accept the second script because, it only have the needed special characters.

Note : We can perform this variable in MEDIUM or HIGH policies only.


In MySQL the plugin “validate_password” provides the perfect validation and analysis about passwords. It also helps to construct the strong passwords based our needs. Helps in following the standards and security compliance.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s