Bug #81523 Password validation plugin uses wrong logic
Submitted: 20 May 2016 15:38 Modified: 24 May 2016 8:55
Reporter: Jörg Brühe (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S3 (Non-critical)
Version:5.7.10, 5.7.12 OS:Any
Assigned to: CPU Architecture:Any
Tags: LENGTH, password, policy

[20 May 2016 15:38] Jörg Brühe 
Description:
For a local test in a protected environment, I wanted to use simpler passwords.
After checking the documentation, I decided to set policy to "LOW" (length check only) and (minimum) length to 3.

This is what I did:

mysql> SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+--------+
| Variable_name                        | Value  |
+--------------------------------------+--------+
| validate_password_dictionary_file    |        |
| validate_password_length             | 8      |
| validate_password_mixed_case_count   | 1      |
| validate_password_number_count       | 1      |
| validate_password_policy             | MEDIUM |
| validate_password_special_char_count | 1      |
+--------------------------------------+--------+
6 rows in set (0,00 sec)

mysql> set global validate_password_policy = 0 ;
Query OK, 0 rows affected (0,00 sec)

mysql> set global validate_password_length = 3 ;
Query OK, 0 rows affected (0,00 sec)

Being cautious, I checked the result:

mysql> SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+-------+
| Variable_name                        | Value |
+--------------------------------------+-------+
| validate_password_dictionary_file    |       |
| validate_password_length             | 4     |
| validate_password_mixed_case_count   | 1     |
| validate_password_number_count       | 1     |
| validate_password_policy             | LOW   |
| validate_password_special_char_count | 1     |
+--------------------------------------+-------+
6 rows in set (0,00 sec)

HEY - I had set the length to 3, why does it show 4?

I checked the documentation again and found the note that the minimum length will be computed as the sum of the digit, special-char and double the mixed-case count.
So the value 4 was explained.

However, I take issue with this approach:
When the policy is set to "LOW", the only active check is for the length, so the various character class requirements are not checked.
In this situation, there is no need to increase the minimum length according to the classes.

Second, when the server modifies my input (changes the length from 3 to 4), IMNSHO this MUST be indicated by a warning - but none was given.

How to repeat:
See copy-paste in the "description":

-- Use a server with the validation plugin installed
-- and all values still at their defaults.

set global validate_password_policy = 0 ;
set global validate_password_length = 3 ;

-- Check:
SHOW VARIABLES LIKE 'validate_password%';

The length will be set to 4.

Suggested fix:
1) When the policy is set to "LOW", do not calculate the minimum length from the class requirements.

2) When overriding the user input and setting a higher (minimum) length than was given, issue a warning.
[24 May 2016 8:49] MySQL Verification Team 
Hello Jörg,

Thank you for the report and feedback.
Imho, second point seems to be handled already as I see warning is logged "[Warning] Plugin validate_password reported: 'Effective value of validate_password_length is changed. New value is 4'"

Thanks,
Umesh
[24 May 2016 8:55] Jörg Brühe 
I didn't get a warning in 5.7.10 -
if you get one, it would be a later addition.