[MDEV-9245] password "reuse prevention" validation plugin Created: 2015-12-07  Updated: 2023-11-27  Resolved: 2021-10-21

Status: Closed
Project: MariaDB Server
Component/s: Plugins
Fix Version/s: 10.7.1

Type: Task Priority: Critical
Reporter: Sergei Golubchik Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 4
Labels: Preview_10.7, Security

Issue Links:
Blocks
blocks MDEV-19275 Provide SQL service to plugins. Closed
Duplicate
duplicates MDEV-9072 MariaDB Community Edition needs passw... Closed
duplicates MDEV-9244 Add password auto expiration option a... Closed
Problem/Incident
causes MDEV-26647 Include password validation plugin in... Closed
causes MDEV-26650 Failed ALTER USER/GRANT statement rem... Closed
causes MDEV-28838 password_reuse_check plugin mixes use... Closed
Relates

 Description   

A password validation plugin to prevent password reuse. It keeps a log of hashes of passwords it has successfully validated before and verifies that a new password is not present in the log.

 Comments   
Comment by Nirmol Chondri [ 2019-03-01 ]

hello

Comment by Geoff Montee (Inactive) [ 2019-05-22 ]

It looks like MySQL 8.0 added a feature like this:

https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/password-management.html#password-reuse-policy

Comment by MikaH [ 2020-01-23 ]

Is this proceeding? We have large scale Customers demanding this to be implemented. Thank you.

Comment by Sergei Golubchik [ 2020-01-23 ]

At the moment it's not progressing. MariaDB Foundation is a non-profit organization and tries to treat all its users fairly and equally. And for now other more widely requested features were prioritized over this one.

If your customers demand a feature, you can get in touch with one of commercial MariaDB support providers, for example, MariaDB Corporation, that has a big pool of developers, and you'll be able in turn to demand something to be implemented.

Comment by Sergei Golubchik [ 2020-01-23 ]

This feature is currently considered a candidate for the next major release of MariaDB Server

Comment by Oleksandr Byelkin [ 2021-01-26 ]

IMHO timestamp in mysql table is not so interesting (it is better to loock in audit data) as which time password changed (easier to handle) but is it my IMHO

Comment by Oleksandr Byelkin [ 2021-01-26 ]

on practice the feature is useless user can change password history_length+1 times and return old password

Comment by Oleksandr Byelkin [ 2021-09-07 ]

branch bb-10.7-MDEV-9245-4
commits:
ca4ef7185da363f17d5ef13a40e3572d533e98db
271afbc88e48307299c7a38abfb74dc372c7eb2c

Comment by Oleksandr Byelkin [ 2021-09-09 ]

new commit
cf3c58e85a2dc7fff12f43b5e95577c22829b317

Comment by Oleksandr Byelkin [ 2021-09-10 ]

branch bb-10.7-MDEV-9245-5 commit 0e09bc41cbab05ba1f67c7bf491b9aeebe0bec16

Comment by Sergei Golubchik [ 2021-09-11 ]

ok to push after adding tests for sql errors in the plugin (on top of the commit 0e09bc41cbab05ba1f67c7bf491b9aeebe0bec16)

Generated at Thu Feb 08 07:33:14 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.