Skip to content

Choose the right MySQL or MariaDB authentication plugin

Severity: highApplies to: MySQL 8.4 LTS / 9.xApplies to: MariaDB 11.x / 12.x
The fix
-- MySQL 8.4+
ALTER USER 'app'@'10.0.1.%' IDENTIFIED WITH caching_sha2_password BY 'secret';
-- MariaDB: root/admin, local only — already the Debian default
ALTER USER 'root'@'localhost' IDENTIFIED VIA unix_socket;
-- MariaDB: application accounts needing a password
INSTALL SONAME 'auth_ed25519';
ALTER USER 'app'@'10.0.1.%' IDENTIFIED VIA ed25519 USING PASSWORD('secret');

Read the safety section before running any of these. Changing an auth plugin is how you lock an application out of its database.

It hashes passwords with SHA-1, and it does not salt them. Two accounts with the same password have the same hash, and the hash is a plain SHA-1 of the password — which means an offline crack against a leaked mysql.user table is about as cheap as it gets. There is no work factor to raise.

Oracle has been retiring it on a schedule:

Version Status
8.0.34 Deprecated — warnings begin
8.4 LTS Disabled by default — the plugin is not loaded
9.0 Removed entirely

That is not a deprecation you can defer indefinitely. On 8.4 an account using it cannot authenticate until the plugin is explicitly re-enabled; on 9.0 there is no plugin to enable.

This is the part generic guides get wrong. They tell you to use caching_sha2_password, which is correct for MySQL and wrong for most MariaDB installs.

MySQL: use caching_sha2_password. It has been the default since 8.0, so a modern account already uses it. The work is migrating legacy accounts.

On 8.4 the relevant variable changed name — default_authentication_plugin was replaced by authentication_policy:

[mysqld]
authentication_policy = caching_sha2_password

MariaDB: caching_sha2_password only arrived in Community 12.1 (and Enterprise 11.8). If you’re on Debian trixie’s MariaDB 11.8 Community, it isn’t there, and mysql_native_password is still MariaDB’s default plugin for any account created without naming one. MariaDB’s own docs say it is “not recommended for new installations that require high password security.”

MariaDB’s two good options:

  • unix_socket for local administrative accounts. This is already how Debian and Ubuntu create root@localhost — as IDENTIFIED VIA unix_socket OR mysql_native_password USING 'invalid', meaning the OS user vouches for identity and the password path is deliberately unusable. It is genuinely good and needs no work.
  • ed25519 for accounts that must authenticate with a password over the network. The shared library ships with MariaDB but the plugin is not installed by defaultINSTALL SONAME 'auth_ed25519' first, or the IDENTIFIED VIA ed25519 will fail.