Setting Root Password on MySQL When Empty | NOC.org Support

After a fresh MySQL or MariaDB installation, the root account may have no password or may use socket authentication that only allows access from the local system user. Either way, leaving the root account without a proper password is a security risk on any server that is accessible from a network. This guide walks through setting a root password for different MySQL versions and authentication configurations.

When Is the Root Password Empty?

The root password is typically empty in the following scenarios:

• Fresh installation: On some Linux distributions, MySQL installs with an empty root password and allows passwordless login from the local machine.
• MariaDB on Debian/Ubuntu: Default installs use unix_socket authentication (equivalent to MySQL's auth_socket), meaning the root MySQL user can only log in from the system root user without a password.
• Docker containers: Some MySQL Docker images allow setting MYSQL_ALLOW_EMPTY_PASSWORD=yes, which starts MySQL with an empty root password.
• Development environments: Local development stacks (XAMPP, MAMP, LAMP bundles) often ship with no root password.

Check Your Current Authentication Method

Before setting a password, check how the root user is currently configured:

-- MySQL 5.7+
SELECT user, host, plugin, authentication_string
FROM mysql.user WHERE user = 'root';

-- Example output with auth_socket:
+------+-----------+-------------+-----------------------+
| user | host      | plugin      | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+

-- Example output with empty password (mysql_native_password):
+------+-----------+-----------------------+-----------------------+
| user | host      | plugin                | authentication_string |
+------+-----------+-----------------------+-----------------------+
| root | localhost | mysql_native_password |                       |
+------+-----------+-----------------------+-----------------------+

The plugin column tells you the authentication method. The authentication_string column being empty confirms no password is set (for password-based plugins).

Method 1: ALTER USER (MySQL 5.7 and 8.0+)

The recommended method for MySQL 5.7 and later is ALTER USER:

-- Log in first (if auth_socket, run as system root)
sudo mysql

-- Set the password
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourStr0ng_P@ssword!';
FLUSH PRIVILEGES;
EXIT;

If the root user was using auth_socket and you want to switch to password authentication:

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YourStr0ng_P@ssword!';
FLUSH PRIVILEGES;

In MySQL 8.0, the default authentication plugin changed to caching_sha2_password. If your application or client does not support it, use mysql_native_password instead:

-- MySQL 8.0: use native password for compatibility
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YourStr0ng_P@ssword!';
FLUSH PRIVILEGES;

Method 2: SET PASSWORD (MySQL 5.7)

An older but still functional method in MySQL 5.7:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('YourStr0ng_P@ssword!');
FLUSH PRIVILEGES;

Note: The PASSWORD() function was removed in MySQL 8.0. Do not use this method on MySQL 8.0 or later — use ALTER USER instead.

Method 3: mysqladmin From the Command Line

The mysqladmin utility can set a password from the shell without entering the MySQL prompt:

# When current password is empty:
mysqladmin -u root password 'YourStr0ng_P@ssword!'

# When changing an existing password:
mysqladmin -u root -p'OldPassword' password 'NewPassword'

Be aware that passing passwords on the command line can expose them in the process list and shell history. Use this method only for initial setup, and consider clearing your shell history afterward.

Method 4: mysql_secure_installation

The mysql_secure_installation script is a comprehensive security hardening tool that guides you through several steps:

sudo mysql_secure_installation

The script will prompt you to:

1. Set or change the root password
2. Remove anonymous users
3. Disallow remote root login
4. Remove the test database
5. Reload privilege tables

This is the recommended approach for new installations because it addresses multiple security concerns at once, not just the root password. For a complete server hardening checklist, see the Linux security checklist.

Understanding auth_socket vs mysql_native_password

These are the two most common authentication plugins you will encounter:

auth_socket (or unix_socket in MariaDB)

This plugin authenticates users based on the operating system user, not a password. If the MySQL root user uses auth_socket, only the system's root user (or a user with sudo) can log in:

# This works (as system root):
sudo mysql -u root

# This will NOT work (even with the correct password):
mysql -u root -p

Pros: No password to manage or leak. Authentication is tied to the OS user.
Cons: Applications that connect to MySQL with a username and password cannot use the root account. Remote connections to the root account are not possible.

mysql_native_password

Traditional password-based authentication. The user provides a password, MySQL hashes it and compares it against the stored hash.

# Switch root from auth_socket to mysql_native_password:
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YourStr0ng_P@ssword!';
FLUSH PRIVILEGES;

Pros: Works with all MySQL clients and applications. Supports remote connections.
Cons: Password can be compromised if weak or exposed.

caching_sha2_password (MySQL 8.0 Default)

MySQL 8.0 introduced caching_sha2_password as the default authentication plugin. It uses SHA-256 hashing with caching for better security and performance. However, older clients and libraries may not support it. If you encounter connection issues after setting a password in MySQL 8.0, switch to mysql_native_password as shown above.

Verifying the Password Change

After setting the password, verify it works:

# Exit any existing MySQL session, then:
mysql -u root -p
# Enter your new password when prompted

# If successful, you will see the mysql> prompt
mysql> SELECT CURRENT_USER();
+----------------+
| CURRENT_USER() |
+----------------+
| root@localhost |
+----------------+

Also verify the authentication method was updated:

SELECT user, host, plugin FROM mysql.user WHERE user = 'root';

Troubleshooting

• Access denied after setting password: Make sure you ran FLUSH PRIVILEGES; after the change. Also check that you are using the correct host — 'root'@'localhost' and 'root'@'127.0.0.1' are separate accounts in MySQL.
• Cannot log in after switching from auth_socket: If you switched to password authentication but forgot the password, you will need to start MySQL in --skip-grant-tables mode to reset it.
• ERROR 1819: If your password does not meet policy requirements, see MySQL ERROR 1819 — Password Policy Requirements.
• phpMyAdmin cannot connect: phpMyAdmin requires password-based authentication. If root uses auth_socket, either switch root to mysql_native_password or create a separate admin user with a password for phpMyAdmin.

Security Recommendations

1. Always set a strong root password on any server accessible from a network.
2. Run mysql_secure_installation on every new MySQL installation.
3. Create separate MySQL users for each application instead of using root.
4. Restrict root login to localhost only — never allow remote root access.
5. Consider keeping auth_socket for the root user and creating password-authenticated users for applications.