Rotating database credentials reduces the blast radius of leaked secrets and prevents long-lived passwords from becoming permanent skeleton keys. A password change also revokes access quickly after an accidental exposure in a repo, ticket, or log.
In MySQL and MariaDB, an account is identified by the pair 'user'@'host' and authenticated using an authentication plugin plus a stored credential hash. The recommended approach is changing the password with ALTER USER, which updates the account record and affects new connections immediately.
Account identity is host-scoped, so changing 'app'@'localhost' does not change 'app'@'%'. Existing sessions can stay connected until they reconnect, so coordinating application updates matters, and password policies (such as validate_password) can reject weak values.
Steps to change a MySQL or MariaDB user password:
- Connect to the database with an administrative account.
$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 59 Server version: 8.0.44 MySQL Community Server - GPL Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
On Linux systems using socket authentication for root, sudo mysql can open a local admin session without prompting for a password, and some installs provide the client as mariadb.
- Identify the exact 'user'@'host' entry.
mysql> SELECT user, host, plugin FROM mysql.user WHERE user = 'newuser'; +---------+-----------+-----------------------+ | user | host | plugin | +---------+-----------+-----------------------+ | newuser | localhost | caching_sha2_password | +---------+-----------+-----------------------+ 1 row in set (0.00 sec)
'app'@'localhost' and 'app'@'%' are different accounts with separate passwords, and ERROR 1396 typically indicates the selected 'user'@'host' entry does not exist.
- Change the password for the selected account using ALTER USER.
mysql> ALTER USER 'newuser'@'localhost' IDENTIFIED BY 'N3w_Str0ng_Pass!'; Query OK, 0 rows affected (0.00 sec)
ALTER USER applies immediately for new sessions, so services still holding the old password will start failing on reconnect, and older client drivers may require mysql_native_password instead of caching_sha2_password.
- Exit the mysql client.
mysql> exit Bye
- Update every application or job that authenticates with the modified account.
Long-lived connection pools can keep working until the next reconnect, so a restart or pool recycle is often required to prove the new secret is in use.
- Log in using the updated account.
$ mysql -u newuser -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 60 Server version: 8.0.44 MySQL Community Server - GPL Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
- Confirm the account chosen by the server.
mysql> SELECT USER(), CURRENT_USER(); +-------------------+-------------------+ | USER() | CURRENT_USER() | +-------------------+-------------------+ | newuser@localhost | newuser@localhost | +-------------------+-------------------+ 1 row in set (0.00 sec)
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
