MySQL 8.0 New Authentication Plugin: caching_sha2_password

Since MySQL 8.0.4 the default authentication plugin has been changed from mysql_native_password to caching_sha2_password . The change addresses security concerns with SHA‑1 and introduces a salted SHA‑256 based mechanism with thousands of hash rounds.

The plugin stores a 70‑byte authentication_string that contains:

2‑byte identifier ($A) indicating SHA‑256.

4‑byte round count (e.g., $005 for 5000 rounds).

21‑byte random salt.

43‑byte salted hash.

Example query showing the stored value:

mysql> select user, host, authentication_string, length(authentication_string), plugin from mysql.user limit 1;

+------+-------+------------------------------------------------------+---------------------------+-----------------------+

| user | host  | authentication_string                               | length(authentication_string) | plugin                |

+------+-------+------------------------------------------------------+---------------------------+-----------------------+

| root | %     | $A$005$1%h5f1OdZ0'46}M[uz5Di5wW2WWg8eeLWynsg2h3xnzHwQLmm39bEqLBxB0 | 70                        | caching_sha2_password |

+------+-------+------------------------------------------------------+---------------------------+-----------------------+

The system variable caching_sha2_password_digest_rounds (default 5000, min 5000, max 4095000) controls the number of hash rounds.

Authentication works in two phases:

Fast authentication : after a successful login, the server caches username/SHA256(SHA256(password)) . Subsequent connections that match the cache are validated instantly.

Complete authentication : on a cache miss the server falls back to full verification. If the connection is not encrypted, the plugin requires RSA encryption of the password.

RSA support is provided via the variables caching_sha2_password_private_key_path and caching_sha2_password_public_key_path . Keys can be auto‑generated with caching_sha2_password_auto_generate_rsa_keys . The public key is exposed through the status variable Caching_sha2_password_rsa_public_key :

SHOW STATUS LIKE 'Caching_sha2_password_rsa_public_key'\G

Variable_name: Caching_sha2_password_rsa_public_key

Value: -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----

Creating a user with the new plugin:

CREATE USER 'sha2user'@'localhost' IDENTIFIED BY '42';

To force the use of the old plugin:

CREATE USER 'nativeuser'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

When connecting over an insecure channel, RSA must be used. Example commands:

mysql --ssl-mode=DISABLED -u sha2user -p

fails with:

ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

Providing the server public key resolves the issue:

mysql --ssl-mode=DISABLED -u sha2user -p --get-server-public-key

or specifying a local public key file:

mysql --ssl-mode=DISABLED -u sha2user -p --server-public-key-path=file_name

Replication also supports RSA‑encrypted password exchange via MASTER_PUBLIC_KEY_PATH , GET_MASTER_PUBLIC_KEY , and corresponding group‑replication options.

In summary, caching_sha2_password combines strong salted SHA‑256 hashing with a caching layer to provide both security and performance for MySQL 8.0 authentication.