MySQL ERROR 1819 occurs when you attempt to set a password that does not meet the requirements enforced by MySQL's validate_password component. This is a security feature — not a bug — and understanding how to work with it properly will keep your databases secure while eliminating the error.
What ERROR 1819 Means
The full error message reads:
ERROR 1819 (HY000): Your password does not satisfy the current policy requirementsThis means MySQL's password validation plugin (or component, in MySQL 8.0+) is active and the password you provided does not meet the configured minimum requirements for length, complexity, or both.
The validate_password Plugin
MySQL includes a password validation mechanism that checks passwords against configurable rules before accepting them. In MySQL 5.7, this is a plugin called validate_password. In MySQL 8.0+, it was converted to a server component called validate_password (the configuration variables changed from underscores to dots in 8.0, though the underscore versions still work as aliases).
This plugin is often enabled by default when you install MySQL from official packages or when you run mysql_secure_installation.
Checking Current Password Policy
To see the current password policy settings, run:
SHOW VARIABLES LIKE 'validate_password%';The output will look similar to this:
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | ON |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+Understanding Policy Levels
MySQL offers three policy levels, each with different requirements:
LOW (or 0)
Only checks password length. The minimum length is controlled by validate_password_length (default: 8).
MEDIUM (or 1) — Default
Checks length plus requires the password to contain:
- At least
validate_password_number_countnumeric characters (default: 1) - At least
validate_password_mixed_case_countlowercase characters (default: 1) - At least
validate_password_mixed_case_countuppercase characters (default: 1) - At least
validate_password_special_char_countspecial/non-alphanumeric characters (default: 1)
STRONG (or 2)
Everything in MEDIUM plus checks the password against a dictionary file (if configured via validate_password_dictionary_file). Passwords matching dictionary words or common substrings will be rejected.
Setting a Compliant Password
With the default MEDIUM policy, a compliant password must be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special characters. For example:
-- This will FAIL with default MEDIUM policy:
ALTER USER 'dbuser'@'localhost' IDENTIFIED BY 'password';
-- This will FAIL (no special character, no uppercase):
ALTER USER 'dbuser'@'localhost' IDENTIFIED BY 'password123';
-- This will SUCCEED:
ALTER USER 'dbuser'@'localhost' IDENTIFIED BY 'S3cure_P@ss!';
-- This will SUCCEED (long, complex):
ALTER USER 'dbuser'@'localhost' IDENTIFIED BY 'Xk9#mW2$vR5nQ8@p';
Generating strong passwords is good practice. You can use openssl rand -base64 24 on the command line to generate a random string, then add a special character if one was not included.
Changing the Password Policy Level
If you need to adjust the policy — for example, lowering it to LOW for a development environment — you can change it at runtime:
-- Set to LOW (length check only)
SET GLOBAL validate_password_policy = LOW;
-- Or set to STRONG
SET GLOBAL validate_password_policy = STRONG;
-- You can also adjust the minimum length
SET GLOBAL validate_password_length = 12;
To make the change persist across MySQL restarts, add it to your MySQL configuration file (/etc/mysql/mysql.conf.d/mysqld.cnf or /etc/my.cnf):
[mysqld]
validate_password_policy = LOW
validate_password_length = 12Temporarily Disabling Password Validation (Development Only)
In development or testing environments, you may want to disable the plugin entirely. This is not recommended for production servers:
-- MySQL 5.7
UNINSTALL PLUGIN validate_password;
-- MySQL 8.0+
UNINSTALL COMPONENT 'file://component_validate_password';To re-enable it:
-- MySQL 5.7
INSTALL PLUGIN validate_password SONAME 'validate_password.so';
-- MySQL 8.0+
INSTALL COMPONENT 'file://component_validate_password';On production systems, keep the validation enabled and use strong, compliant passwords instead. Weak database passwords are a primary target in brute-force attacks and should be avoided.
Checking if the Plugin Is Installed
If you are not sure whether the plugin is active:
-- MySQL 5.7
SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME = 'validate_password';
-- MySQL 8.0+
SELECT * FROM mysql.component WHERE component_urn LIKE '%validate_password%';If the query returns no rows, the validation component is not installed and ERROR 1819 should not occur.
Common Scenarios That Trigger This Error
- After running mysql_secure_installation: This script installs the validate_password plugin and sets the policy. Users then encounter 1819 when creating application database users with simple passwords.
- Docker or cloud images: Many pre-built MySQL Docker images and cloud database services enable password validation by default.
- Upgrading from MySQL 5.6 to 5.7/8.0: Older installations may not have had the plugin. After an upgrade, the plugin may be enabled automatically.
- Automated deployment scripts: Scripts that create database users with hardcoded passwords often fail when the plugin is active and the hardcoded password is too simple.
Best Practices
- Keep the MEDIUM or STRONG policy on production systems. The inconvenience of complex passwords is far outweighed by the security benefit.
- Use a password manager or generator to create passwords that meet the requirements.
- Set the policy once in the configuration file rather than changing it at runtime, so it persists across restarts.
- Document the policy for your team so developers know the password requirements before writing deployment scripts.
- Use the LOW policy only in development environments that are isolated from production networks.
Get
Started