strongDM.blog /

How to Change the MySQL root Password

MySQL is an open-source relational database, made famous by its ease-of-use and simple setup on modern Linux and Windows operating systems. On an unmodified MySQL install, the root user account does not have a password. This is extremely insecure!

As a systems administrator, we know that the easiest way to compromise a system is using the default unchanged password with admin privileges. To set the root password for the root account:

{{code}} $ mysql -u root --skip-password {{/code}}

Assign a password with the following command:

{{code}} mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'PASSWORD_HERE'; {{/code}}

Luckily, in most situations, operating system-specific installs of MySQL will be set to generate a random password for the root user when the database is started for the first time. Instead of setting the password, you’ll change it.

Different platforms (Windows, Linux, etc) will require slightly different methods for resetting the password.

Changing the root user’s password on Linux

Log on to your system as the Unix user that the MySQL server runs as (for example, mysql). These will work on most Linux distributions (ubuntu, Debian, Fedora, etc).

  1. Log on to your target system with SSH or other remote shell
  2. Stop the MySQL server if it is running. Most times, this is done using your operating system’s init system (systemD, SysV init, or upstart).

{{code-block}}
# upstart
$ sudo service mysql stop
# SysV init
/etc/init.d/mysql-server stop
{{/code-block}}

  1. If you’re unsure, or you have a custom MySQL installation, you can stop the MySQL server by sending a normal TERM to the mysqld process using the kill command

{{code-block}}
$ killall mysqld
{{/code-block}}

  1. Create a text file containing the password assignment SQL statement on a single line

{{code-block}}
ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass';
{{/code-block}}

  1. Save the file to disk. Note: ensure the mysql user (or the user the database is running under) has read access to the file.
  2. Start the MySQL server with the init_file CLI flag set to name the file you saved above.

{{code-block}}
$ mysqld --init-file=/home/me/mysql-init
{{/code-block}}

  1. When the server boots, it will execute the contents of the file specified above which will change the password.
  2. After the server has started successfully, you can delete the SQL file you created above. In a separate command prompt, or with your GUI tool of choice, you should now be able to connect to the MySQL server as root using the new password.
  3. Stop the MySQL server (usually control-C) and start MySQL it normally from your operating system’s init system

{{code-block}}
#upstart
$ sudo service mysql start
# SysV init
/etc/init.d/mysql-server stop
{{/code-block}}

Changing the root user’s password on Windows

Resetting the root password is very similar to the process used on Linux, with a few tweaks! We will create another init file containing the password reset statement, and start the server manually in our command prompt.

  1. Log on to your system via RDP or on the console as a user with administrative privleges
  2. Stop the MySQL server if it is running

For a server that is running as a Windows service, go to the Services manager: From the Start menu, select Control Panel, then Administrative Tools, then Services. Find the MySQL service in the list and stop it.

  1. Create a text file containing the password assignment SQL statement on a single line

{{code-block}}
ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass';
{{/code-block}}

  1. Save the file to disk.
  2. Open the command prompt (Start → Run → cmd)
  3. Start the MySQL server with the init_file CLI flag set to name the file you saved above. Note: backslashes must be escaped, so use two for the file path like the example below.

{{code-block}}
C:\> cd "C:\Program Files\MySQL\MySQL Server 8.0\bin"
C:\> mysqld --init-file=C:\\mysql-init.txt
{{/code-block}}

  1. When the server boots, it will execute the contents of the file specified above which will change the password.
  2. After the server has started successfully, you can delete the SQL file you created above. In a separate command prompt, or with your GUI tool of choice, you should now be able to connect to the MySQL server as root using the new password.
  3. Stop the MySQL server and restart it normally from the Windows Service Console.

Managing MySQL Users with strongDM

Most security professionals would not recommend using the root user for human or application access to a database. The administrative privileges that the root user possesses are a huge security vulnerability waiting to happen!

So what’s the best way to do database access for your developers? Multiple accounts? One shared account? If you change the password, how do you communicate that to everyone?

Enter strongDM. strongDM allows you to abstract-away usernames and passwords from the developers and allows us, the systems administrator, to keep the master passwords in a safe space under lock and key. strongDM provides us central authentication and auditing for all actions against a MySQL host.