[SOLVED] phpMyAdmin Showing #1819 - Your password does not satisfy the current policy requirements

bulletproof.rs · 08-23-2018, 02:53 AM

Hello everyone.

I've been having issues on one of the servers im administrating, basically, whenever i try to create a user in phpmyadmin i receive an error message stating:

Code:

#1819 - Your password does not satisfy the current policy requirements

However, I've made sure that password policies are down to bare minimum.
Here's the output generated from console:

Code:

mysql> SHOW VARIABLES LIKE 'validate_password%'
    -> ;
+--------------------------------------+-------+
| Variable_name                        | Value |
+--------------------------------------+-------+
| validate_password.check_user_name    | OFF   |
| validate_password.dictionary_file    |       |
| validate_password.length             | 6     |
| validate_password.mixed_case_count   | 0     |
| validate_password.number_count       | 0     |
| validate_password.policy             | LOW   |
| validate_password.special_char_count | 0     |
+--------------------------------------+-------+
7 rows in set (0.00 sec)

When i try to add a user from phpmyadmin, i will get the error message already mentioned but when i use the exact same syntax directly in mysql console, i have no issues.
Server I'm running on is using Apache/2.4.6 on CentOS 7.5 with PHP/7.2.9 and MySQL Version is 8.0.12
phpMyAdmin version is (should be latest) 4.8.3.

I'm really really thinking this as a phpmyadmin bug since, as i said, it works fine when i type the syntax manually, either in mysql console or in SQL tab of phpmyadmin.
That would not be an option when we go into production since I'm trying to make this as easier as possible for end user to use.

I've set these in my.cnf file:

Code:

validate_password.check_user_name=OFF
validate_password.policy=LOW
validate_password.length=6
validate_password.mixed_case_count=0
validate_password.number_count=0
validate_password.special_char_count=0
default_authentication_plugin=mysql_native_password

Any ideas ?
Thanks in advance !

EDIT:
Problem solved by running : "UNINSTALL COMPONENT 'file://component_validate_password';"

unSpawn · 08-25-2018, 07:14 AM

Quote:

Originally Posted by bulletproof.rs

I'm trying to make this as easier as possible for end user to use.

I understand that and thanks for posting your solution. However given past compromises I would very much like you to first think what kind of data you'll be storing and how leaking that would not only affect end users but also the image of the product or service you'll be providing. Think about offering end users ways to ease authentication, yes, but please don't compromise the most basic of information security requirements.

bulletproof.rs · 08-25-2018, 08:52 AM

Server itself is perfectly isolated from outside world and it cannot be accessed from outside of private network and even from within inside, you need VPN to access it. This is for our developers to use and develop scripts that will use other servers as a gateway to go outside, gather info and store them into database. End users i was thinking about are 3 people in development sector from within my company. They already have pretty strong passwords but the problem is they couldn't have created them from phpmyadmin, they needed to do it manually but wanted a way to not do it in that way since they are not comfortable with CLI.
They are well aware of possible security risks either way and I am completely agreeing with you with what you say.

scasey · 08-25-2018, 10:08 AM

Further to unSpawn's thoughts, and understanding that, in your case, turning off password validation might be acceptable, I have to ask...did you restart mysql after you changed the validation parameters?
Did you log off and back onto phpMyAdmin?

Just looking for reasons that might help others in the future without disabling password validation.

unSpawn · 08-25-2018, 11:01 AM

Quote:

Originally Posted by bulletproof.rs

They are well aware of possible security risks either way and I am completely agreeing with you with what you say.

Thanks, that's one worry less : - )

bulletproof.rs · 08-25-2018, 11:09 AM

Quote:

Originally Posted by scasey

Further to unSpawn's thoughts, and understanding that, in your case, turning off password validation might be acceptable, I have to ask...did you restart mysql after you changed the validation parameters?
Did you log off and back onto phpMyAdmin?

Just looking for reasons that might help others in the future without disabling password validation.

Yes, definitely, i have restarted mysqld and ran CTRL+F5 to reload the page - that is to reload with clearing the cache of that page. It logged me out automatically... For whatever reason, when password validation was enabled, phpmyadmin was unable to create user account for mo natter how strong password was typed in. Even when password requirements were lowered to hell.

I think there are definitely some compatibility issues between phpmyadmin and mysql 8. Since it works like a charm on mysql 5x.