How to set or reset MySQL or MariaDB root password

Recovering a lost root password in MySQL or MariaDB restores access to account management, backups, and server-wide configuration changes. A password reset is often faster and safer than rebuilding the data directory or restoring a full database dump.

Authentication is enforced by the privilege (grant) tables in the mysql system schema. Starting the server with --skip-grant-tables bypasses privilege checks, enabling a local session to assign a new authentication method and password for root@localhost before returning the daemon to normal startup.

During bypass mode, connections through the local socket gain unrestricted access, so the server must stay isolated and the window must stay short. A Linux host using systemd is assumed, with a socket directory at /var/run/mysqld and a mysql service account; unit names and authentication plugins can differ between MySQL and MariaDB packages.

1. Stop the database service managed by systemd.

   $ sudo systemctl stop mysql

   Common alternates include:

   $ sudo systemctl stop mariadb
   $ sudo systemctl stop mysqld

2. Create the /var/run/mysqld socket directory when missing.

   $ sudo mkdir -p /var/run/mysqld

3. Set ownership of /var/run/mysqld to the mysql service account.

   $ sudo chown mysql:mysql /var/run/mysqld

   Some distributions run the daemon as a mariadb user instead of mysql.

4. Start mysqld in bypass mode using --skip-grant-tables, --skip-networking.

   $ sudo mysqld_safe --skip-grant-tables --skip-networking &
   [1] 4225
   mysqld_safe Logging to '/var/log/mysql/error.log'.
   mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

   Authentication checks are disabled, so local socket access becomes full administrative access; keep the host isolated; shut down bypass mode immediately after the password change. A missing /var/run/mysqld directory triggers:

   mysqld_safe Directory '/var/run/mysqld' for UNIX socket file doesn't exist.

5. Open a local mysql client session as root without a password.

   $ mysql -u root
   Welcome to the MySQL monitor.  Commands end with ; or \g.
   Server version: 8.0.32-0ubuntu0.22.10.2 (Ubuntu)
   ##### snipped #####
   mysql>

   If the socket is not auto-detected, pass --socket explicitly:

   $ mysql -u root --socket=/var/run/mysqld/mysqld.sock

6. Reload the grant tables inside the mysql shell.

   mysql> FLUSH PRIVILEGES;
   Query OK, 0 rows affected (0.01 sec)

7. Set a new password for root@localhost.

   mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'NEW_PASSWORD';
   Query OK, 0 rows affected (0.00 sec)

   MariaDB commonly uses:

   ALTER USER 'root'@'localhost' IDENTIFIED BY 'NEW_PASSWORD';

   Installations that default to auth_socket (MySQL) or unix_socket (MariaDB) switch to password authentication when a password-based plugin is set.

8. Exit the mysql shell.

   mysql> exit
   Bye

9. Shut down the bypass-mode server using mysqladmin.

   $ sudo mysqladmin -u root shutdown

   If shutdown fails due to a nonstandard socket path, add --socket:

   $ sudo mysqladmin -u root --socket=/var/run/mysqld/mysqld.sock shutdown

10. Restart the database service securely under systemd.

    $ sudo systemctl restart mysql

    Use the matching unit name if the service is mariadb or mysqld.

11. Verify password authentication for the root account.

    $ mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    ##### snipped #####
    mysql>

    Reaching the mysql> prompt confirms that the new password is active.