Sign inTry Free

Configuring a Password Policy

On this page

You can configure a robust password policy, including rules for password expiration, reuse, and complexity, by configuring the following engine variables. See the engine variables overview for information on working with engine variables.

When configuring the settings described below, you can use the sdb-admin tool (sdb-admin update-config ...) so that configuration changes are written to the .cnf file and persist across any server reboots.

For example, to set passwords to expire after two weeks:

sdb-admin update-config --all --set-global --key "password_expiration_seconds" --value "1209600"

Password Expiration

password_expiration_seconds: The time in seconds before a password expires. The default value is 0, which indicates that passwords never expire.

expire_root_password: Specifies whether the root password can expire. The default value is OFF. When set to OFF, the password_expiration_seconds duration does not apply to the root password. If set to ON, the root password expires after the password_expiration_seconds duration is reached.

Note

A password expiration warning is raised to the user on every query, starting 14 days before the password expires.

password_expiration_mode: Specifies what happens when a user's password expires. The default value is NO_ACCESS. If set to NO_ACCESS, the user cannot login after the password expires. If set to LIMITED_ACCESS, the user can login after the password expires but can only update their password using ALTER USER or SET PASSWORD commands. Until the password is updated, no other commands can be executed except SET SESSION or SET LOCAL.

Password Reuse

password_history_count: Restricts the reuse of previous user passwords. This variable is the number of previous passwords per user that SingleStore stores and disallows from reuse.

SingleStore does not allow setting a user account’s password to one of the last password_history_count number of passwords for that user. The count includes the current password. For example, if set to 2, setting a user’s password to its current password or the last password before the current password is disallowed. The default value is 0, which indicates that any previous password can be reused. The maximum is 10.

Password Complexity

The following variables control password complexity requirements. For each variable, the default value is 0 (disabled) and the accepted values are integers ranging from 0 to 100.

password_min_length: The minimum number of characters required.

password_min_uppercase_chars: The minimum number of uppercase characters required.

password_min_lowercase_chars: The minimum number of lowercase characters required.

password_min_numeric_chars: The minimum number of numeric digit characters required.

password_min_special_chars: The minimum number of special (non-alphanumeric) characters required.

password_max_consec_sequential_chars: The maximum number of consecutive characters allowed. For example, if set to 3, passwords with a 4-letter sequence or longer (e.g 1234 or abcd) are disallowed.

password_max_consec_repeat_chars: The maximum number of consecutive repeated characters allowed. For example, if set to 3, passwords with 4 or more consecutive repeated characters (e.g., aaaa or 1111) are disallowed.

When a user enters a new password, if the password does not meet the password complexity policy, the following error message is returned:

Error: password does not meet the requirements specified for <variable> in your password complexity policy. Password not changed.

Example Password Complexity Usage

The following stored procedure (you can also use individual SET statements in the command line) creates a password complexity policy where passwords must:

  • be at least 12 characters long

  • include at least one uppercase character

  • include at least one lowercase character

  • include at least one numeric character

  • include at least one special character

CREATE DATABASE db_security
USE db_security


DELIMITER //
CREATE OR REPLACE PROCEDURE set_password_complexity_policy() AS
BEGIN
    SET GLOBAL password_min_length=12;
    SET GLOBAL password_min_uppercase_chars=1;
    SET GLOBAL password_min_lowercase_chars=1;
    SET GLOBAL password_min_numeric_chars=1;
    SET GLOBAL password_min_special_chars=1;
END
//
DELIMITER ;


CALL set_password_complexity_policy();

Password Complexity and Existing Passwords

When changes are made to the password complexity policy, existing passwords are not checked. The policy only applies to new or changed passwords.

Password Complexity in Previous Versions

For versions 7.1 - 7.5, the password complexity variable is defined as follows:

strict_passwords: When set to ON, SingleStore requires that all passwords be at least 6 characters in length, contain at least one letter, and contain at least one number. The default value is OFF. Enabling strict-passwords=ON does not affect current users.

Warning

strict_passwords is deprecated as of version 7.1 of SingleStore. If you use both strict_passwords and any of the password complexity variables described in this topic, then both sets of rules are enforced. SingleStore recommends leaving strict_passwords set to OFF (the default).

Last modified: June 30, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK