Why MySQL Returns ‘Plugin Not Loaded’ for One Missing User but ‘Access Denied’ for Another

Background

When a client attempts to log in with a non‑existent MySQL account, the server does not return a simple "user does not exist" error. Instead, MySQL creates a hidden “decoy” account and assigns it a random authentication plugin. This design, often called a “honeypot”, makes it difficult for an attacker to infer which usernames are valid.

Honeypot Mechanism in MySQL 8.4

Step 1 – Client initiates the connection

The client (for example, user u2) opens a TCP connection to the server and starts the authentication handshake.

Step 2 – Server creates a decoy user

If find_mpvio_user() cannot locate the requested account, it calls decoy_user() to generate a shadow user object. The server then picks one of the supported authentication plugins at random and attaches it to the decoy user.

const LEX_CSTRING Cached_authentication_plugins::cached_plugins_names[] = {
  {STRING_WITH_LEN("caching_sha2_password")},   // 1/3 probability
  {STRING_WITH_LEN("mysql_native_password")},   // 1/3 probability
  {STRING_WITH_LEN("sha256_password")}
};

// Deterministic key based on username+IP ensures the same client gets the same plugin
uint plugin_num = random_number % PLUGIN_LAST;
user->plugin = cached_plugins_names[plugin_num];

Step 3 – Second‑stage authentication and plugin trap

The client’s native plugin (normally caching_sha2_password) is compared with the plugin assigned to the decoy user. If they differ, MySQL initiates a second authentication round using the decoy’s plugin.

When the decoy is assigned mysql_native_password, MySQL 8.4 does not load this plugin automatically (the plugin is disabled by default). The server therefore aborts with the fatal error:

ERROR 1524 (HY000): Plugin 'mysql_native_password' is not loaded

If the decoy receives caching_sha2_password, the authentication completes and the server returns the generic Access denied message, effectively masking the non‑existence of the account.

Why the error differs between users

u2 triggered the plugin‑not‑loaded error because the random selection gave the deprecated mysql_native_password plugin.

u1 received a normal “Access denied” because the random selection gave the currently enabled caching_sha2_password plugin.

Changes introduced in MySQL 8.4

MySQL 8.4 removed the default_authentication_plugin system variable and made caching_sha2_password the sole default authentication plugin. The older mysql_native_password plugin is no longer loaded automatically; it must be installed manually. The honeypot code, however, still chooses it with a 1/3 probability, which can surface as the “Plugin not loaded” error.

Operational guidance

Compatibility with older clients : Manually load the legacy plugin.

INSTALL PLUGIN mysql_native_password SONAME 'auth_socket.so';

Eliminate the error completely : Create a fallback user that uses a always‑available plugin, ensuring the random assignment never selects an unavailable one.

CREATE USER 'fake_user'@'%' IDENTIFIED WITH caching_sha2_password BY 'dummy';

Diagnose real‑user authentication problems : Verify that the account exists before interpreting the error, because the honeypot can mask missing users.

MySQL’s decoy‑user strategy deliberately trades implementation complexity for security. By presenting inconsistent error messages, it prevents attackers from distinguishing valid accounts from fabricated ones.