Choose the right MySQL or MariaDB authentication plugin
-- MySQL 8.4+ALTER USER 'app'@'10.0.1.%' IDENTIFIED WITH caching_sha2_password BY 'secret';
-- MariaDB: root/admin, local only — already the Debian defaultALTER USER 'root'@'localhost' IDENTIFIED VIA unix_socket;
-- MariaDB: application accounts needing a passwordINSTALL SONAME 'auth_ed25519';ALTER USER 'app'@'10.0.1.%' IDENTIFIED VIA ed25519 USING PASSWORD('secret');Read the safety section before running any of these. Changing an auth plugin is how you lock an application out of its database.
Why mysql_native_password has to go
Section titled “Why mysql_native_password has to go”It hashes passwords with SHA-1, and it does not salt them. Two accounts
with the same password have the same hash, and the hash is a plain SHA-1 of the
password — which means an offline crack against a leaked mysql.user table is
about as cheap as it gets. There is no work factor to raise.
Oracle has been retiring it on a schedule:
| Version | Status |
|---|---|
| 8.0.34 | Deprecated — warnings begin |
| 8.4 LTS | Disabled by default — the plugin is not loaded |
| 9.0 | Removed entirely |
That is not a deprecation you can defer indefinitely. On 8.4 an account using it cannot authenticate until the plugin is explicitly re-enabled; on 9.0 there is no plugin to enable.
MySQL and MariaDB need different answers
Section titled “MySQL and MariaDB need different answers”This is the part generic guides get wrong. They tell you to use
caching_sha2_password, which is correct for MySQL and wrong for most MariaDB
installs.
MySQL: use caching_sha2_password. It has been the default since 8.0, so a
modern account already uses it. The work is migrating legacy accounts.
On 8.4 the relevant variable changed name — default_authentication_plugin was
replaced by authentication_policy:
[mysqld]authentication_policy = caching_sha2_passwordMariaDB: caching_sha2_password only arrived in Community 12.1 (and
Enterprise 11.8). If you’re on Debian trixie’s MariaDB 11.8 Community, it isn’t
there, and mysql_native_password is still MariaDB’s default plugin for any
account created without naming one. MariaDB’s own docs say it is “not recommended
for new installations that require high password security.”
MariaDB’s two good options:
unix_socketfor local administrative accounts. This is already how Debian and Ubuntu createroot@localhost— asIDENTIFIED VIA unix_socket OR mysql_native_password USING 'invalid', meaning the OS user vouches for identity and the password path is deliberately unusable. It is genuinely good and needs no work.ed25519for accounts that must authenticate with a password over the network. The shared library ships with MariaDB but the plugin is not installed by default —INSTALL SONAME 'auth_ed25519'first, or theIDENTIFIED VIA ed25519will fail.
Related
Section titled “Related”- Enable TLS — do this before migrating to caching_sha2_password.
- Remove anonymous users and the test database — accounts with no password at all.