# Authentication Plugin - mysql\_native\_password

The `mysql_native_password` authentication plugin is the default authentication plugin that will be used for an account created when no authentication plugin is explicitly mentioned and [old\_passwords=0](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) is set. It uses the password hashing algorithm introduced in MySQL 4.1, which is also used by the [PASSWORD()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/password) function when [old\_passwords=0](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) is set. This hashing algorithm is based on [SHA-1](https://en.wikipedia.org/wiki/SHA-1).

It is not recommended to use the `mysql_native_password` authentication plugin for new installations that require **high password security**. If someone is able to both listen to the connection protocol and get a copy of the mysql.user table, then the person would be able to use this information to connect to the MariaDB server. The [ed25519](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-ed25519) authentication plugin is a more modern authentication plugin that provides simple password authentication using a more secure algorithm.

## Installing the Plugin

The `mysql_native_password` authentication plugin is statically linked into the server, so no installation is necessary.

## Creating Users

The easiest way to create a user account with the `mysql_native_password` authentication plugin is to make sure that [old\_passwords=0](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) is set, and then create a user account via [CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user) that does not specify an authentication plugin, but does specify a password via the [IDENTIFIED BY](https://mariadb.com/docs/server/sql-statements/account-management-sql-statements/create-user#identified-by-password) clause:

```sql
SET old_passwords=0;
CREATE USER username@hostname IDENTIFIED BY 'mariadb';
```

If [SQL\_MODE](https://mariadb.com/docs/server/server-management/variables-and-modes/sql_mode) does not have `NO_AUTO_CREATE_USER` set, then you can also create the user account via [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant):

```sql
SET old_passwords=0;
GRANT SELECT ON db.* TO username@hostname IDENTIFIED BY 'mariadb';
```

You can also create the user account by providing a password hash via the [IDENTIFIED BY PASSWORD](https://mariadb.com/docs/server/sql-statements/account-management-sql-statements/create-user#identified-by-password-password_hash) clause, and MariaDB will validate whether the password hash is one that is compatible with `mysql_native_password`:

```sql
SET old_passwords=0;

SELECT PASSWORD('mariadb');
+-------------------------------------------+
| PASSWORD('mariadb')                       |
+-------------------------------------------+
| *54958E764CE10E50764C2EECBB71D01F08549980 |
+-------------------------------------------+

CREATE USER username@hostname
  IDENTIFIED BY PASSWORD '*54958E764CE10E50764C2EECBB71D01F08549980';
```

Similar to all other [authentication plugins](https://mariadb.com/docs/server/reference/plugins/authentication-plugins), you could also specify the name of the plugin in the [IDENTIFIED VIA](https://mariadb.com/docs/server/sql-statements/account-management-sql-statements/create-user#identified-viawith-authentication_plugin) clause while providing the password hash as the `USING` clause:

```sql
CREATE USER username@hostname
  IDENTIFIED VIA mysql_native_password USING '*54958E764CE10E50764C2EECBB71D01F08549980';
```

## Changing User Passwords

You can change a user account's password with the [SET PASSWORD](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/set-password) statement while providing the plain-text password as an argument to the [PASSWORD()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/encryption-hashing-and-compression-functions/password) function:

```sql
SET PASSWORD =  PASSWORD('new_secret')
```

You can also change the user account's password with the [ALTER USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/alter-user) statement. You would have to make sure that [old\_passwords=0](https://mariadb.com/docs/server/server-management/variables-and-modes/server-system-variables#old_passwords) is set, and then you would have to specify a password via the [IDENTIFIED BY](https://mariadb.com/docs/server/sql-statements/account-management-sql-statements/alter-user#identified-by-password) clause:

```sql
SET old_passwords=0;
ALTER USER username@hostname IDENTIFIED BY 'new_secret';
```

## Client Authentication Plugins

For clients that use the `libmysqlclient` or [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c) libraries, MariaDB provides one client authentication plugin that is compatible with the `mysql_native_password` authentication plugin:

* `mysql_native_password`

When connecting with a [client or utility](https://mariadb.com/docs/server/clients-and-utilities) to a server as a user account that authenticates with the `mysql_native_password` authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the `--plugin-dir` option:

```bash
mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice
```

However, the `mysql_native_password` client authentication plugin is generally statically linked into client libraries like `libmysqlclient` or [MariaDB Connector/C](https://app.gitbook.com/s/CjGYMsT2MVP4nd3IyW2L/mariadb-connector-c), so this is not usually necessary.

### `mysql_native_password`

The `mysql_native_password` client authentication plugin hashes the password before sending it to the server.

## Support in Client Libraries

The `mysql_native_password` authentication plugin is one of the conventional authentication plugins, so all client libraries should support it.

## Known Old Issues (Only Relevant for Old Installations)

### Mismatches Between Password and authentication\_string Columns

For compatibility reasons, the `mysql_native_password` authentication plugin tries to read the password hash from both the `Password` and `authentication_string` columns in the [mysql.user](https://mariadb.com/docs/server/reference/system-tables/the-mysql-database-tables/mysql-user-table) table. This has caused issues in the past if one of the columns had a different value than the other.

{% tabs %}
{% tab title="Current" %}
[CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user), [ALTER USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/alter-user), [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant), and [SET PASSWORD](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/set-password) set the `Password` and `authentication_string` columns in the [mysql.user](https://mariadb.com/docs/server/reference/system-tables/the-mysql-database-tables/mysql-user-table) table whenever an account's password is changed.
{% endtab %}

{% tab title="< 10.3.11 / 10.2.19" %}
[CREATE USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user), [ALTER USER](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/alter-user), [GRANT](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/grant), and [SET PASSWORD](https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/set-password) do **not** set the `Password` and `authentication_string` columns in the [mysql.user](https://mariadb.com/docs/server/reference/system-tables/the-mysql-database-tables/mysql-user-table) table whenever an account's password is changed.
{% endtab %}
{% endtabs %}

## See Also

* [ed25519](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-ed25519) secure connection plugin
* [History of MySQL and MariaDB authentication protocols](https://mariadb.org/history-of-mysql-mariadb-authentication-protocols)

<sub>*This page is licensed: CC BY-SA / Gnu FDL*</sub>

{% @marketo/form formId="4316" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.