Why MySQL Root Can Connect Without a Password and How to Fix It

A client reported that the MySQL root user could execute commands without being prompted for a password, while a newly created user with a password behaved normally. The author investigated several typical reasons for such behavior.

This type of problem usually stems from one of the following causes:

The user has no password set.

The server is started with skip-grant-tables in the configuration.

A plaintext password option is present in the MySQL option files.

The authentication plugin for the user is auth_socket .

Reproducing the issue, the author ran:

root@ytt-large:/home/ytt# mysql -e "select 'hello world'"
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Switching to another user required a password:

root@ytt-large:/home/ytt# mysql -uadmin -e "select 'hello world'"
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: NO)

root@ytt-large:/home/ytt# mysql -uadmin -p -e "select 'hello world'"
Enter password:
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Changing the root password with ALTER USER did not affect the behavior, indicating that the password was being ignored.

Each possible cause was examined:

User has no password – ruled out because the password was already altered.

skip-grant-tables enabled – ruled out because only the root account bypassed authentication.

Plaintext password option – found in the configuration via my_print_defaults , but changing the password still had no effect, so this was also dismissed.

Authentication plugin auth_socket – identified as the most likely reason.

The auth_socket plugin allows password‑less login when the client connects through the local Unix socket and the operating‑system user name matches an entry in mysql.user . The official documentation confirms this behavior.

Verification steps:

root@ytt-large:/home/ytt# mysql -e "select user(),current_user()"
+----------------+----------------+
| user()         | current_user() |
+----------------+----------------+
| root@localhost | root@localhost |
+----------------+----------------+

mysql> select plugin,authentication_string from mysql.user where user='root';
+-------------+-----------------------+
| plugin      | authentication_string |
+-------------+-----------------------+
| auth_socket |                       |
+-------------+-----------------------+

Since the plugin was auth_socket , the password change had no effect. To restore password authentication, the plugin was changed:

mysql> alter user root@localhost identified with mysql_native_password by 'root';
Query OK, 0 rows affected (0.04 sec)

After the change, attempts to connect without a password were rejected, and providing the correct password succeeded:

root@ytt-large:/home/ytt# mysql -p -e "select 'hello world'"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
root@ytt-large:/home/ytt# mysql -proot -e "select 'hello world'"
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Conclusion

When encountering unexpected MySQL authentication behavior, examine system functions, internal objects, and especially the authentication plugin in use; this often reveals the root cause more quickly than merely printing test strings.