Bug #76660 Add user name check to validate_password plugin
Submitted: 10 Apr 2015 15:51 Modified: 10 Apr 2015 17:04
Reporter: Geoff Montee Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any

[10 Apr 2015 15:51] Geoff Montee 
Description:
Please modify either the MEDIUM or STRONG policies of the validate_password plugin to check whether a user's password is based on the account name.

i.e. something like this should fail with MEDIUM or STRONG password validation enabled:

CREATE USER alice IDENTIFIED BY 'alice';

How to repeat:
Enable password validation, and then create a user account with a password that contains the user name.
[10 Apr 2015 17:04] Geoff Montee 
Here is a better example (the second example fails because the password doesn't meet the special character requirements):

mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Query OK, 0 rows affected (0.06 sec)

mysql> SET GLOBAL validate_password_policy=MEDIUM;
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER 'Alice123$'@'%' IDENTIFIED BY 'Alice123$';
Query OK, 0 rows affected (0.06 sec)

mysql> CREATE USER 'Alice123'@'%' IDENTIFIED BY 'Alice123';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements