How to change MySQL or MariaDB user password

Rotating database credentials reduces the blast radius of leaked secrets and prevents long-lived passwords from becoming permanent skeleton keys. A password change also revokes access quickly after an accidental exposure in a repo, ticket, or log.

In MySQL and MariaDB, an account is identified by the pair 'user'@'host' and authenticated using an authentication plugin plus a stored credential hash. The recommended approach is changing the password with ALTER USER, which updates the account record and affects new connections immediately.

Account identity is host-scoped, so changing 'app'@'localhost' does not change 'app'@'%'. Existing sessions can stay connected until they reconnect, so coordinating application updates matters, and password policies (such as validate_password) can reject weak values.

Steps to change a MySQL or MariaDB user password:

Connect to the database with an administrative account.
```
$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 8.0.35 MySQL Community Server - GPL
##### snipped #####
mysql>
```
On Linux systems using socket authentication for root, sudo mysql can open a local admin session without prompting for a password, and some installs provide the client as mariadb.

Identify the exact 'user'@'host' entry.

mysql> SELECT user, host, plugin FROM mysql.user WHERE user = 'app';
+------+-----------+-----------------------+
| user | host      | plugin                |
+------+-----------+-----------------------+
| app  | localhost | caching_sha2_password |
| app  | %         | caching_sha2_password |
+------+-----------+-----------------------+
2 rows in set (0.00 sec)

'app'@'localhost' and 'app'@'%' are different accounts with separate passwords, and ERROR 1396 typically indicates the selected 'user'@'host' entry does not exist.

Change the password for the selected account using ALTER USER.
```
mysql> ALTER USER 'app'@'localhost' IDENTIFIED BY 'N3w_Str0ng_Pass!';
Query OK, 0 rows affected (0.01 sec)
```
ALTER USER applies immediately for new sessions, so services still holding the old password will start failing on reconnect, and older client drivers may require mysql_native_password instead of caching_sha2_password.
Exit the mysql client.
```
mysql> exit
Bye
```
Update every application or job that authenticates with the modified account.

Long-lived connection pools can keep working until the next reconnect, so a restart or pool recycle is often required to prove the new secret is in use.

$ mysql -u app -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
mysql>

Confirm the account chosen by the server.

mysql> SELECT USER(), CURRENT_USER();
+---------------+--------------+
| USER()        | CURRENT_USER() |
+---------------+--------------+
| app@localhost | app@localhost  |
+---------------+--------------+
1 row in set (0.00 sec)

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.