Password strength requirements for MySQL, EDB PostgreSQL, and Oracle database accounts

At Indiana University, to mitigate the risk of unauthorized access to sensitive data, UITS requires that database passwords be strong and difficult to guess. Password strength algorithms can check a candidate password for a minimum length, mixed-case letters, numbers, special characters, and so on. These algorithms can be written in most programming languages and may vary greatly in the conditions defined based on how complex the password should be.

On this page:

Password requirements

Oracle and EDB PostgreSQL

For Oracle and EDB PostgreSQL databases, to meet the minimum conditions required for a strong password, the password must:

  • Differ from the previous password by at least four characters
  • Contain at least:
    • Nine characters
    • Two uppercase letters
    • Two lowercase letters
    • Two numbers
    • Two of the following allowed special characters: 
        ‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ / < > , . ; ? ' : | (space)

Oracle provides a PL/SQL function to enforce these password conditions on database user profiles. In Oracle 12c, this function is called ora12c_strong_verify_function, but is not configured by default. When you create a new Oracle account or change a password for an existing account, this function will check for the minimum conditions and reject the candidate password if those conditions are not met. UITS Oracle and EDB PostgreSQL databases are configured to use this function for password strength enforcement.

MySQL

For MySQL databases, to meet the minimum conditions required for a strong password, the password must contain at least:

  • Nine characters
  • Two uppercase letters
  • Two lowercase letters
  • Two numbers
  • Two of the following allowed special characters: 
      ‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] / < > , . ; ? ' : | (space)

Sample error messages

Oracle and EDB PostgreSQL

In Oracle and EDB PostgreSQL, if the candidate password doesn't meet the required conditions, a primary error (ORA-28003) will be returned with a subordinate error describing the failed condition. For example:

SQL> create user test1 identified by "welcome";
  ORA-28003: password verification for the specified password failed
  ORA-20001: Password length less than 9
SQL> create user test identified by "welcome1!";
  ORA-28003: password verification for the specified password failed
  ORA-20026: Password must contain at least 2 uppercase character(s)

MySQL

In MySQL, if the candidate password doesn't meet the required conditions, you'll see an error message like the following:

mysql> create user test1 identified by "welcome";
  ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

This is document aphg in the Knowledge Base.
Last modified on 2023-07-18 11:27:14.