MySQL 密码安全复用策略
本次验证的目标
在密码重用周期内(由选项PASSWORD REUSE所指定),不能复用该周期内的任一密码;但超过密码重用周期后,密码复用情况还得根据是否启选项“PASSWORD HISTORY”,若启用,则该选项指定的最近密码是不用复用的,相反,密码复用不受限制
创建测试用户
mysql> create user pswtest@'%' identified by "Pswd123456$01"
-> PASSWORD EXPIRE INTERVAL 90 DAY #密码生命期(按天计)
-> PASSWORD HISTORY 2 #不能复用最近n个的密码
-> PASSWORD REUSE INTERVAL 7 DAY #不能复用n天内的密码,
-> PASSWORD REQUIRE CURRENT #修改密码需提供旧密码
-> ;
Query OK, 0 rows affected (0.07 sec)
确认当前日期时间
mysql> select current_date,now() ;
+--------------+---------------------+
| current_date | now() |
+--------------+---------------------+
| 2020-10-21 | 2020-10-21 15:46:02 |
+--------------+---------------------+
1 row in set (0.00 sec)
密码重用周期内,不用复用密码
mysql>
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$02" ;
Query OK, 0 rows affected (0.13 sec)
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$03" ;
Query OK, 0 rows affected (0.17 sec)
mysql> alter user pswtest@'%' identified by "Pswd123456$04" ;
Query OK, 0 rows affected (0.09 sec)
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$05" ;
Query OK, 0 rows affected (0.08 sec)
mysql>
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$05" ;
ERROR 3638 (HY000): Cannot use these credentials for 'pswtest@%' because they contradict the password history policy
mysql>
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$02" ;
ERROR 3638 (HY000): Cannot use these credentials for 'pswtest@%' because they contradict the password history policy
mysql>
mysql>
调整系统时间
将系统时间设置为超过密码重用周期的时间
mysql>
mysql> select current_date,now() ;
+--------------+---------------------+
| current_date | now() |
+--------------+---------------------+
| 2020-10-29 | 2020-10-29 15:53:59 |
+--------------+---------------------+
1 row in set (0.00 sec)
mysql>
复用密码
超过密码重用周期后,可复用之前使用的密码
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$02" ;
Query OK, 0 rows affected (0.08 sec)
mysql> alter user pswtest@'%' identified by "Pswd123456$03" ;
Query OK, 0 rows affected (0.06 sec)
mysql> alter user pswtest@'%' identified by "Pswd123456$04" ;
Query OK, 0 rows affected (0.05 sec)
mysql> alter user pswtest@'%' identified by "Pswd123456$05" ;
Query OK, 0 rows affected (0.07 sec)
mysql>
mysql>
再次设置系统时间
将系统时间再次设置为超过密码重用周期的时间,目的是为了验证不能复用选项“password history”指定的密码
mysql>
mysql> select current_date,now() ;
+--------------+---------------------+
| current_date | now() |
+--------------+---------------------+
| 2020-11-07 | 2020-11-07 16:02:33 |
+--------------+---------------------+
1 row in set (0.00 sec)
启用选项password history时密码复用情况
mysql>
mysql> alter user pswtest@'%' password history 2 ;
Query OK, 0 rows affected (0.03 sec)
mysql>
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$05" ;
ERROR 3638 (HY000): Cannot use these credentials for 'pswtest@%' because they contradict the password history policy
mysql>
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$04" ;
ERROR 3638 (HY000): Cannot use these credentials for 'pswtest@%' because they contradict the password history policy
mysql>
mysql>
mysql> alter user pswtest@'%' identified by "Pswd123456$03" ;
Query OK, 0 rows affected (0.05 sec)
mysql>
