Bug #77277 | default_password_lifetime should be set 0 as implicit default value | ||
---|---|---|---|
Submitted: | 9 Jun 2015 9:45 | Modified: | 12 Jan 2016 16:47 |
Reporter: | Tsubasa Tanaka (OCA) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S4 (Feature request) |
Version: | 5.7.7 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[9 Jun 2015 9:45]
Tsubasa Tanaka
[11 Jun 2015 1:59]
Tsubasa Tanaka
This is reflection of my blog post about "default_password_lifetime's default is 360". http://b.hatena.ne.jp/entry/yoku0825.blogspot.com/2015/06/mysql-574defaultpasswordlifetime... There're over 500 people has interest about this parameter. We strongly hope MySQL accepts my suggestion no.1, default value of default_password_lifetime set "0".
[19 Jun 2015 5:58]
MySQL Verification Team
Hello Tsubasa-San, Thank you for the feature request. Thanks, Umesh
[5 Oct 2015 13:43]
Simon Mudd
I agree. Also consider the situation when upgrading existing systems to 5.7 from 5.6. It might be possible that you have a 5.6 master and 5.7 slaves running for 360 days (yes, it might happen and may depend on when the slave was first converted to 5.7 from 5.6). This potentially opens a time-bomb which won't bite you for 1 year and may hit a large number of systems at the same time. If the master still runs 5.6 then you can't fix the slaves by replication but would have to go and fix each slave manually.
[12 Jan 2016 16:47]
Paul DuBois
Noted in 5.7.11, 5.8.0 changelogs. The default value of the default_password_lifetime system variable that controls the global password expiration policy has been changed from 360 (360 days) to 0 (no password expiration). The default of 360 sometimes took people by surprise when account passwords expired a year after upgrading to MySQL 5.7. To continue to use a value other than 0 as the password expiration, start the server with an explicit setting for default_password_lifetime. For example, use these lines in an option file: [mysqld] default_password_lifetime=360
[12 Jan 2016 17:43]
Morgan Tocker
On behalf of the MySQL team, thank you for the feedback in response to this feature request. We agree with the original bug reporter that the default of 360 is surprising for users upgrading from previous releases of MySQL. In response the default has been changed to zero, as of MySQL 5.7.11. We do however continue to see value in setting a value > 0, as our goal is to be secure by default, without any additional changes required: http://mysqlserverteam.com/secure-by-default-in-mysql-5-7/ That is to say that we may look at changing the new 5.7.11 default of zero, to a non-zero version in a future release. We encourage feedback as to how we could make this transition less surprising. I have created a feature request (Bug #79939) for a startup warning, but there is still room for additional suggestions.