How to change MySQL or MariaDB user password

Changing a database user's password is the normal way to rotate application secrets, cut off access after a credential leak, and hand over ownership without recreating the account or reapplying grants.

In MySQL and MariaDB, the password belongs to one exact 'user'@'host' account definition, not just to a username. ALTER USER updates that account's authentication data in the grant tables while keeping the account itself and its existing privileges in place.

The exact host entry matters, existing sessions can stay connected until they reconnect, and authentication plugins can change the correct syntax. Current MySQL releases use caching_sha2_password by default, while current Ubuntu MariaDB packages commonly use mysql_native_password for password-authenticated accounts, so inspect the target account before changing it when older drivers or plugin-specific authentication are involved.

1. Open a privileged mysql client session on the target server.

   $ mysql --user=root --password
   Enter password:
   mysql>

   On socket-authenticated local installs, sudo mysql or sudo mariadb can open the administrative session without a password prompt. Add --host and --port for a remote server, and use mariadb if that is the installed client command.

2. Identify the exact 'user'@'host' account and its current authentication plugin.

   mysql> SELECT User, Host, plugin FROM mysql.user WHERE User = 'appuser';
   +---------+-----------+-----------------------+
   | User    | Host      | plugin                |
   +---------+-----------+-----------------------+
   | appuser | localhost | mysql_native_password |
   +---------+-----------+-----------------------+
   1 row in set (0.00 sec)

   'appuser'@'localhost', 'appuser'@'127.0.0.1', and 'appuser'@'%' are separate accounts with separate passwords. If the query returns no row, or the wrong host, changing another entry will not fix the login that is failing.

   If the account might use unix_socket, auth_socket, ed25519, or another non-default method, inspect the full definition with

   SHOW CREATE USER 'appuser'@'localhost'\G

   before changing it. Current MariaDB 10.4 and later can attach more than one authentication method to a single account.

3. Change the password for the selected account with ALTER USER.

   mysql> ALTER USER 'appuser'@'localhost' IDENTIFIED BY 'N3w_Str0ng_Pass!';
   Query OK, 0 rows affected (0.00 sec)

   New connections start using the new password immediately. Rotate the secret in every application, job, or option file before restarting pools or services, or the next reconnect will fail with Access denied.

   The statement text can be written to client history or server logs on some setups. Run the change from a trusted administration host and avoid leaving the new secret in shared history files or saved terminal captures.

4. Update every application, job, and option file that uses the modified account.

   Long-lived connection pools can keep working until they reconnect, so recycle the pool or restart the service after the secret is updated to prove the old password is no longer in use.

5. Log in with the new password using the same host path that the workload uses.

   $ mysql --user=appuser --password
   Enter password:
   mysql>

   Use the same connection method as the real workload. A local socket login against localhost and a TCP login to 127.0.0.1 can match different 'user'@'host' accounts.

6. Confirm the account that the server matched for privilege checks.

   mysql> SELECT USER() AS client_user, CURRENT_USER() AS authenticated_user;
   +-------------------+--------------------+
   | client_user       | authenticated_user |
   +-------------------+--------------------+
   | appuser@localhost | appuser@localhost  |
   +-------------------+--------------------+
   1 row in set (0.00 sec)

   USER() shows the identity supplied by the client. CURRENT_USER() shows the exact account entry that the server authenticated and used for privilege checks.