Why MySQL Root Can Connect Without a Password and How to Fix It

A client reported that the MySQL root user could execute commands without being prompted for a password, while a newly created user with a password behaved normally. The author investigated several typical reasons for such behavior.

This type of problem usually stems from one of the following causes:

The user has no password set.

The server is started with skip-grant-tables in the configuration.

A plaintext password option is present in the MySQL option files.

The authentication plugin for the user is auth_socket.

Reproducing the issue, the author ran:

root@ytt-large:/home/ytt# mysql -e "select 'hello world'"
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Switching to another user required a password:

root@ytt-large:/home/ytt# mysql -uadmin -e "select 'hello world'"
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: NO)

root@ytt-large:/home/ytt# mysql -uadmin -p -e "select 'hello world'"
Enter password:
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Changing the root password with ALTER USER did not affect the behavior, indicating that the password was being ignored.

Each possible cause was examined:

User has no password – ruled out because the password was already altered.

skip-grant-tables enabled – ruled out because only the root account bypassed authentication.

Plaintext password option – found in the configuration via my_print_defaults, but changing the password still had no effect, so this was also dismissed.

Authentication plugin auth_socket – identified as the most likely reason.

The auth_socket plugin allows password‑less login when the client connects through the local Unix socket and the operating‑system user name matches an entry in mysql.user. The official documentation confirms this behavior.

Verification steps:

root@ytt-large:/home/ytt# mysql -e "select user(),current_user()"
+----------------+----------------+
| user()         | current_user() |
+----------------+----------------+
| root@localhost | root@localhost |
+----------------+----------------+

mysql> select plugin,authentication_string from mysql.user where user='root';
+-------------+-----------------------+
| plugin      | authentication_string |
+-------------+-----------------------+
| auth_socket |                       |
+-------------+-----------------------+

Since the plugin was auth_socket, the password change had no effect. To restore password authentication, the plugin was changed:

mysql> alter user root@localhost identified with mysql_native_password by 'root';
Query OK, 0 rows affected (0.04 sec)

After the change, attempts to connect without a password were rejected, and providing the correct password succeeded:

root@ytt-large:/home/ytt# mysql -p -e "select 'hello world'"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
root@ytt-large:/home/ytt# mysql -proot -e "select 'hello world'"
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Conclusion

When encountering unexpected MySQL authentication behavior, examine system functions, internal objects, and especially the authentication plugin in use; this often reveals the root cause more quickly than merely printing test strings.