Required credentials for clients that connect to the MySQL server can include a password. This section describes how to assign passwords for MySQL accounts.
MySQL stores passwords in the user table in the
mysql system database. Operations that assign
or modify passwords are permitted only to users with the
CREATE USER privilege, or,
alternatively, privileges for the mysql
database (INSERT privilege to
create new accounts, UPDATE
privilege to modify existing accounts). If the
read_only system variable is
enabled, use of account-modification statements such as
CREATE USER or
SET PASSWORD additionally requires
the SUPER privilege.
The discussion here summarizes syntax only for the most common password-assignment statements. For complete details on other possibilities, see Section 13.7.1.1, “CREATE USER Syntax”, Section 13.7.1.3, “GRANT Syntax”, and Section 13.7.1.6, “SET PASSWORD Syntax”.
MySQL hashes passwords stored in the mysql.user
table to obfuscate them. For most statements described here, MySQL
automatically hashes the password specified. An exception is
SET PASSWORD ... =
PASSWORD(', for
which you use the auth_string')PASSWORD()
function explicitly to hash the password. There are also syntaxes
for CREATE USER,
GRANT, and SET
PASSWORD that permit hashed values to be specified
literally; for details, see the descriptions of those statements.
MySQL uses plugins to perform client authentication; see Section 6.3.6, “Pluggable Authentication”. The authentication plugin associated with an account determines the algorithm used to hash passwords for that account.
To assign a password when you create a new account, use
CREATE USER and include an
IDENTIFIED BY clause:
mysql>CREATE USER 'jeffrey'@'localhost'->IDENTIFIED BY 'mypass';
For this CREATE USER syntax, MySQL
automatically hashes the password before storing it in the
mysql.user table.
CREATE USER also supports syntax
for specifying the account authentication plugin. See
Section 13.7.1.1, “CREATE USER Syntax”.
To assign or change a password for an existing account, use one of the following methods:
Use SET PASSWORD with the
PASSWORD() function:
mysql>SET PASSWORD FOR->'jeffrey'@'localhost' = PASSWORD('mypass');
If you are not connected as an anonymous user, you can change
your own password by omitting the FOR
clause:
mysql> SET PASSWORD = PASSWORD('mypass');
The PASSWORD() function hashes
the password using the hashing method determined by the value
of the old_passwords system
variable value. If SET PASSWORD
rejects the hashed password value returned by
PASSWORD() as not being in the
correct format, it may be necessary to change
old_passwords to change the
hashing method. See Section 13.7.1.6, “SET PASSWORD Syntax”.
Use a GRANT
USAGE statement at the global level (ON
*.*) to change an account password without affecting
the account's current privileges:
mysql>GRANT USAGE ON *.* TO 'jeffrey'@'localhost'->IDENTIFIED BY 'mypass';
For this GRANT syntax, MySQL
automatically hashes the password before storing it in the
mysql.user table.
To change an account password from the command line, use the mysqladmin command:
shell> mysqladmin -u user_name -h host_name password "new_password"
The account for which this command sets the password is the
one with a mysql.user table row that
matches user_name in the
User column and the client host
from which you connect in the
Host column.
For password changes made using mysqladmin,
MySQL automatically hashes the password before storing it in
the mysql.user table.