Description:
For a local test in a protected environment, I wanted to use simpler passwords.
After checking the documentation, I decided to set policy to "LOW" (length check only) and (minimum) length to 3.
This is what I did:
mysql> SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
6 rows in set (0,00 sec)
mysql> set global validate_password_policy = 0 ;
Query OK, 0 rows affected (0,00 sec)
mysql> set global validate_password_length = 3 ;
Query OK, 0 rows affected (0,00 sec)
Being cautious, I checked the result:
mysql> SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+-------+
| Variable_name | Value |
+--------------------------------------+-------+
| validate_password_dictionary_file | |
| validate_password_length | 4 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | LOW |
| validate_password_special_char_count | 1 |
+--------------------------------------+-------+
6 rows in set (0,00 sec)
HEY - I had set the length to 3, why does it show 4?
I checked the documentation again and found the note that the minimum length will be computed as the sum of the digit, special-char and double the mixed-case count.
So the value 4 was explained.
However, I take issue with this approach:
When the policy is set to "LOW", the only active check is for the length, so the various character class requirements are not checked.
In this situation, there is no need to increase the minimum length according to the classes.
Second, when the server modifies my input (changes the length from 3 to 4), IMNSHO this MUST be indicated by a warning - but none was given.
How to repeat:
See copy-paste in the "description":
-- Use a server with the validation plugin installed
-- and all values still at their defaults.
set global validate_password_policy = 0 ;
set global validate_password_length = 3 ;
-- Check:
SHOW VARIABLES LIKE 'validate_password%';
The length will be set to 4.
Suggested fix:
1) When the policy is set to "LOW", do not calculate the minimum length from the class requirements.
2) When overriding the user input and setting a higher (minimum) length than was given, issue a warning.