Skip to content

Ensure 'old_passwords' Is Not Set to '1' or 'ON'


This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements.

Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following:

0 - authenticate with the mysql_native_password plugin

1 - authenticate with the mysql_old_password plugin

2 - authenticate with the sha256_password plugin


The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { checkRdsVersion, OK_SKIP_VERSION, getServerSetting } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance has a correct value for old_passwords option
function validate(databaseSettings) {
    supportedVersions = ["5.6"]
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if (!supported){
        return OK_SKIP_VERSION

    const settingName = "old_passwords"
    const expectedValues = ["0", "2"]
    const currentValue = getServerSetting(databaseSettings, settingName)
    const success = expectedValues.includes(currentValue)
    return {

// invoke