The SHA-256 authentication plugin uses the SHA-256 hashing algorithm for password storage, offering stronger security than the default SHA-1 method.
MySQL 5.6 added support for the sha256_password authentication plugin, and MySQL 8.0 also added support for the caching_sha2_password authentication plugin.
The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the default_authentication_plugin system variable.
MariaDB Server does not support the plugin. A caching_sha2_password authentication plugin was added in MariaDB and . See for more information.
Reasons for not supporting the SHA-256 plugin:
To use the protocol, you have to distribute the server's public key to all MariaDB users, which can be cumbersome and impractical.
The server receives the password in clear text, which can cause problems if the user connects to a malicious server.
If you are migrating from a MySQL instance that is using SHA-256 authentication, you have to change the SHA-256 authentication to mysql_native_authentication :
For clients that use the library, MariaDB provides client authentication plugins that are compatible with MySQL's SHA-256 authentication plugins:
sha256_password
caching_sha256_password
When connecting with a to a server, using a user account that authenticates with the sha256_password or caching_sha256_password authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:
For clients that use MariaDB's libmysqlclient library instead of , those authentication plugins are not supported.
sha256_passwordThe sha256_password client authentication plugin is compatible with MySQL's authentication plugin, which was added in MySQL 5.6.
caching_sha256_passwordThe caching_sha256_password client authentication plugin is compatible with MySQL's authentication plugin, which was added in MySQL 8.0.
The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the system variable.
supports sha256_password and caching_sha2_password authentication using the mentioned in the previous section.
It has supported the sha256_password client authentication plugin since MariaDB Connector/C 3.0.2. See for more information.
It has supported the caching_sha256_password client authentication plugin since MariaDB Connector/C 3.0.8 and MariaDB Connector/C 3.1.0. See for more information.
supports sha256_password and caching_sha2_password authentication using the mentioned in the previous section.
It has supported sha256_password and caching_sha2_password authentication since MariaDB Connector/ODBC 3.1.4. See for more information.
supports sha256_password and caching_sha2_password authentication since MariaDB Connector/J 2.5.0. See and for more information.
note: The version 3.x being a rewrite of the connector, only caching_sha2_password is implemented, since sha256_password is only implemented on EOL version.
supports sha256_password and caching_sha2_password authentication since MariaDB Connector/Node.js 2.5.0. See and for more information.
contains the plans to use if we ever decide to support these protocols.
This page is licensed: CC BY-SA / Gnu FDL
ALTER USER user_name IDENTIFIED WITH mysql_native_password BY 'new_password'mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice