`password_history`

INFO

Rule IDs: sec_006

Overview

Purpose: Documented in the MySQL 8.4 manual as a server system variable (scope: Global). Purpose and semantics are described at the linked manual page.
Dynamic (MySQL 8.4 reference): MySQL 8.4 marks this variable as dynamic (Dynamic = Yes). Runtime changes use SET GLOBAL (global scope) or SET SESSION (session scope) — confirm syntax and persistence (SET PERSIST) in the manual.
Default value: 0 (MySQL 8.4)
Version and product notes: MariaDB and Percona Server may use different names, defaults, or dynamic behavior; verify their documentation.
Documentation: https://dev.mysql.com/doc/refman/8.4/en/server-system-variables.html#sysvar_password_history
Other vendors: MariaDB KB Percona Docs

What is checked

Rules that reference this variable, with their severity and what each rule detects:

INFO sec_006: Set password_history > 0 (e.g., 5-10) for compliance with password reuse policies.

Tuning guidance

Recommended actions:
- Set password_history > 0 (e.g., 5-10) for compliance with password reuse policies.
Trade-offs: Security settings protect against unauthorized access and data exposure. Tighter settings may require application changes (e.g., SSL certificates for require_secure_transport, IP-based grants for skip_name_resolve).

Example

SET GLOBAL password_history = 5; -- Remember last 5 passwords

Always validate on a non-production instance first. Use SET PERSIST (MySQL 8.0+) for changes that should survive restarts.

Generated from the MySQL Advisor documentation build. Dynamic Yes/No reflects the excerpt aligned with Oracle MySQL 8.4 reference material consumed by this project.