Understanding MySQL 8.0 Current Password Validation Policy

Introduction

This section introduces MySQL 8.0's built‑in password validation policies.

Body

In earlier MySQL versions, ordinary users could change their passwords without providing the old one. MySQL 8.0 adds a password require current clause to enforce old‑password verification.

Insecure scenario

If a user leaves a session open, another user could alter the original user's password without knowing the old password, causing login failures.

Current password validation policy

MySQL 8.0 provides two ways to apply the policy:

1. Per‑user setting (admin side)

Create or modify a user with the clause password require current to force the user to satisfy the current password policy.

mysql:(none)>create user ytt_admin identified by 'root123' password require current;
Query OK, 0 rows affected (0.11 sec)

When ytt_admin tries to change the password, the old password must be supplied.

root@ytt-ubuntu:/home/ytt# mysql -h ytt-ubuntu -uytt_admin -proot123
...
mysql:(none)>alter user ytt_admin identified by 'root';
ERROR 3892 (HY000): Current password needs to be specified in the REPLACE clause in order to change it.

Providing the old password with replace succeeds:

mysql:(none)>alter user ytt_admin identified by 'root' replace 'root123';
Query OK, 0 rows affected (0.00 sec)

To retain the old behavior, use the optional keyword:

-- optional can be replaced by default
mysql:(none)>alter user ytt_admin password require current optional;
Query OK, 0 rows affected (0.04 sec)

Now the user can change the password without verification:

mysql:(none)>alter user ytt_admin identified by 'root';
Query OK, 0 rows affected (0.01 sec)

2. Global setting (all users)

The global variable password_require_current controls the policy for every user. It is off by default.

mysql:(none)>set persist password_require_current=on;
Query OK, 0 rows affected (0.00 sec)

Create a new user ytt_usage :

mysql:(none)>create user ytt_usage identified by 'root123';
Query OK, 0 rows affected (0.00 sec)

Attempting to change the password without the old one fails:

root@ytt-ubuntu:~# mysql -uytt_usage -proot123 -h ytt-ubuntu
...
mysql:(none)>alter user ytt_usage identified by 'root';
ERROR 3892 (HY000): Current password needs to be specified in the REPLACE clause in order to change it.

Supplying the old password with replace succeeds:

mysql:(none)>alter user ytt_usage identified by 'root' replace 'root123';
Query OK, 0 rows affected (0.02 sec)

Note that the alter user clause can override the global setting, allowing you to disable the policy for a specific user:

mysql:(none)>alter user ytt_usage password require current optional;
Query OK, 0 rows affected (0.11 sec)

After disabling, the user can change the password without verification:

mysql:(none)>alter user ytt_usage identified by 'rootnew';
Query OK, 0 rows affected (0.11 sec)

The clause password require current default follows the global variable: if the global variable is off, it restores the old behavior; if on, it enforces the new behavior.

mysql:(none)>alter user ytt_usage password require current default;
Query OK, 0 rows affected (0.09 sec)

Conclusion

The current password validation policy introduced in MySQL 8.0 enhances security by requiring the old password during changes, with flexible per‑user and global configurations.