Skip to content

Ensure 'secure_auth' is set to 'ON'


This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format.


Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network).

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { checkRdsVersion, OK_SKIP_VERSION, checkServerSetting } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance has a correct value for secure_auth option
function validate(databaseSettings) {
    supportedVersions = ["5.6"]
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if (!supported){
        return OK_SKIP_VERSION

    const settingName = "secure_auth"
    const expectedValue = "on"
    const success = checkServerSetting(databaseSettings, settingName, expectedValue)
    return {

// invoke