Skip to content

Ensure 'old_passwords' Is Not Set to '1' or 'ON'

Description

This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements.

Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following:

0 - authenticate with the mysql_native_password plugin

1 - authenticate with the mysql_old_password plugin

2 - authenticate with the sha256_password plugin

Rationale

The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { checkRdsVersion, OK_SKIP_VERSION, getServerSetting } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance has a correct value for old_passwords option
 */
function validate(databaseSettings) {
    supportedVersions = ["5.6"]
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if (!supported){
        return OK_SKIP_VERSION
    }

    const settingName = "old_passwords"
    const expectedValues = ["0", "2"]
    const currentValue = getServerSetting(databaseSettings, settingName)
    const success = expectedValues.includes(currentValue)
    return {
        success,
    }
}

// invoke
validate(databaseSettings);