Understanding MySQL 8.0 validate_password Component and Its Impact on Password Policy

Background: Users observed that in production environments where MySQL 8.0.18 was installed via a unified script, some instances enforced a password policy while others did not.

Analysis: The configuration file my.cnf showed no validate_password parameter, yet the database reported password‑policy settings. Further inspection revealed that the validate_password plugin was not installed, but the password policy was still active.

Reason: Documentation for MySQL 8.0 indicates that the validate_password functionality can be provided by a component rather than a traditional plugin. MySQL Components are a new, component‑based architecture introduced in 8.0 that allows server extensions to be loaded as separate modules. The distribution includes several components, such as error‑log configuration, password checking, audit‑log extensions, and user‑defined query‑attribute functions.

Specifically, the validate_password component implements password‑policy enforcement. Removing this component disables the policy. In MySQL versions prior to 8.0, validate_password existed only as a plugin; from 8.0 onward it can be installed either as a plugin or as a component.

Conclusion: The unified installation script likely installed the validate_password component automatically, which explains why password policy was enforced even without the plugin. Deleting the component restores the default behavior.