10.7 preview feature: Password Reuse Check plugin

Written by Written by Ian Gilfillan

By default, MariaDB does not check if a user reuses a password. Some security policies require users to choose a new password each time, and the Password Reuse Check plugin, available in a MariaDB 10.7.0 preview, enables this functionality.

Old passwords are stored in the mysql.password_reuse_check_history table, and the period they are retained for is determined by the password-reuse-check-interval system variable, which specifies a number of days. By default this is zero, meaning unlimited retention.

The password can be used in conjunction with other password validation plugins, such as the Simple Password Check plugin or the CrackLib Password Check plugin.

Note that password validation can easily be circumvented if the global strict_password_validation variable is turned off, by specifying the password as a hash. By default the variable is set.

Installing the Plugin

Although the plugin’s shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default.

You can install the plugin dynamically, without restarting the server, by executing INSTALL SONAME or INSTALL PLUGIN. For example: 


INSTALL SONAME 'password_reuse_check';

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the –plugin-load or the –plugin-load-add options. This can be specified as a command-line argument to mysqld or it can be specified in a relevant server option group in an option file. For example: 


[mariadb]
...
plugin_load_add = password_reuse_check

Example


INSTALL SONAME 'password_reuse_check';

GRANT SELECT ON *.* TO user1@localhost identified by 'pwd1';
Query OK, 0 rows affected (0.038 sec)

GRANT SELECT ON *.* TO user1@localhost identified by 'pwd1';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

It’s of course not possible to simply use an intermediate password, and then try restore the old password again: 


SET PASSWORD FOR user1@localhost = PASSWORD("pwd1");
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

There are two ways to try this feature out.

Tarball

Download and install the tarball.

Container

You can run the container called quay.io/mariadb-foundation/mariadb-dev:10.7-mdev-9245-password-reuse with the same interface as the Docker Library mariadb image.

Binder online MariaDB Jupyter Notebook

A complete running instance is available in your web browser with Binder. Please be patient with the link, it takes a small time to load.

Feedback welcome

If you come across any problems in this feature preview, with the design, or edge cases that don’t work as expected, please let us know with a JIRA bug/feature request on the MDEV project. You are welcome to chat about it on Zulip.

See also

The Password Reuse Check Plugin on the Knowledge Base.