Forgetting the MySQL or MariaDB root password is one of those things that happens to every database administrator at some point. Whether you inherited a server with no documentation or simply lost track of credentials during a migration, the fix is straightforward if you know the right steps for your specific database version.
This guide walks you through resetting the root password on MySQL 8.x and MariaDB 11.x running on Ubuntu 24.04, Ubuntu 22.04, Debian 13 (Trixie), and Debian 12 (Bookworm). We cover two proven methods, the syntax differences between MySQL and MariaDB, and the auth plugin gotchas that trip people up.
Prerequisites
- Root or sudo access to the server
- MySQL 8.x or MariaDB 11.x installed
- Ubuntu 24.04/22.04 or Debian 13/12
- SSH access to the server
Check Your Database Version
Before doing anything, confirm which database server you are running and its version. The reset procedure and SQL syntax differ between MySQL and MariaDB.
mysql --versionFor MySQL 8.x you will see output like:
mysql Ver 8.0.39 Distrib 8.0.39, for Linux on x86_64For MariaDB 11.x:
mysql Ver 15.1 Distrib 11.4.2-MariaDB, for debian-linux-gnu (x86_64)Method 1 – Reset MySQL 8.x Root Password (mysqld_safe)
This method uses mysqld_safe with the --skip-grant-tables option. It works well for MySQL 8.x on Ubuntu and Debian systems.
Step 1 – Stop the MySQL Service
First, stop the running MySQL instance:
sudo systemctl stop mysqlVerify it is stopped:
sudo systemctl status mysqlYou should see Active: inactive (dead) in the output.
Step 2 – Start MySQL with Skip Grant Tables
Start MySQL in safe mode, bypassing the authentication system:
sudo mysqld_safe --skip-grant-tables --skip-networking &The --skip-networking flag is important – it prevents remote connections while authentication is disabled. This keeps the server safe during the reset window.
Wait a few seconds, then verify MySQL is running:
sudo mysqladmin pingExpected output:
mysqld is aliveStep 3 – Connect to MySQL Without a Password
Log into the MySQL shell as root:
sudo mysql -u rootStep 4 – Reset the Root Password
In MySQL 8.x, the correct syntax is ALTER USER. First, flush privileges to load the grant tables into memory (required when running with --skip-grant-tables):
FLUSH PRIVILEGES;Now set the new root password:
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewStrongPassword';Flush privileges again and exit:
FLUSH PRIVILEGES;
EXIT;Note: The older SET PASSWORD syntax still works in MySQL 8.x but is deprecated. Stick with ALTER USER going forward.
Step 5 – Stop mysqld_safe and Restart MySQL Normally
Kill the mysqld_safe process and start MySQL through systemd:
sudo killall mysqld mysqld_safe
sudo systemctl start mysqlVerify the service is running:
sudo systemctl status mysqlStep 6 – Verify Login with New Password
mysql -u root -pEnter your new password when prompted. If you get a MySQL shell, the reset was successful.
SELECT user, host, plugin FROM mysql.user WHERE user = 'root';This confirms the root account details and authentication plugin in use.
Method 2 – Reset MariaDB 11.x Root Password (systemd Override)
MariaDB on Debian and Ubuntu systems is managed entirely by systemd. Instead of using mysqld_safe, the cleaner approach is to create a systemd override that passes --skip-grant-tables to the MariaDB daemon.
Step 1 – Stop MariaDB
sudo systemctl stop mariadbConfirm it is stopped:
sudo systemctl status mariadbStep 2 – Create a systemd Override
Create a drop-in override file that adds --skip-grant-tables and --skip-networking to the MariaDB startup command:
sudo mkdir -p /etc/systemd/system/mariadb.service.d
sudo tee /etc/systemd/system/mariadb.service.d/override.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/sbin/mariadbd --skip-grant-tables --skip-networking
EOFThe first empty ExecStart= line clears the default command. The second line sets the new startup command with authentication bypass.
Reload systemd and start MariaDB with the override:
sudo systemctl daemon-reload
sudo systemctl start mariadbVerify MariaDB is running:
sudo systemctl status mariadbStep 3 – Connect and Reset the Password
Connect without a password:
sudo mysql -u rootFlush privileges first:
FLUSH PRIVILEGES;In MariaDB 11.x, you can use either ALTER USER or SET PASSWORD. Both work, but here is the recommended approach:
Option A – ALTER USER (recommended):
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewStrongPassword';Option B – SET PASSWORD:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('YourNewStrongPassword');Flush and exit:
FLUSH PRIVILEGES;
EXIT;Step 4 – Remove the Override and Restart Normally
This step is critical. If you leave the override in place, MariaDB will start without authentication on every reboot.
sudo rm -f /etc/systemd/system/mariadb.service.d/override.conf
sudo rmdir /etc/systemd/system/mariadb.service.d 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl restart mariadbVerify MariaDB restarted properly:
sudo systemctl status mariadbStep 5 – Verify Login
mysql -u root -pEnter the new password. Once in the shell, confirm:
SELECT user, host, plugin FROM mysql.user WHERE user = 'root';MySQL vs MariaDB – Syntax Differences
The password reset SQL differs between MySQL and MariaDB. Here is a quick reference:
| Action | MySQL 8.x | MariaDB 11.x |
|---|---|---|
| Reset password | ALTER USER 'root'@'localhost' IDENTIFIED BY 'pass'; | ALTER USER 'root'@'localhost' IDENTIFIED BY 'pass'; |
| Legacy syntax | SET PASSWORD (deprecated) | SET PASSWORD FOR ... = PASSWORD('pass'); |
| Default auth plugin | caching_sha2_password | mysql_native_password |
| Socket plugin | auth_socket | unix_socket |
Dealing with auth_socket / unix_socket Plugin
On Ubuntu and Debian, both MySQL and MariaDB often default to socket-based authentication for the root account. This means sudo mysql works without a password, but mysql -u root -p does not – even with the correct password.
Check the current plugin:
SELECT user, host, plugin FROM mysql.user WHERE user = 'root';If you see auth_socket (MySQL) or unix_socket (MariaDB), the root user authenticates via the OS socket, not a password.
Switch from Socket Auth to Password Auth – MySQL 8.x
ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'YourNewStrongPassword';
FLUSH PRIVILEGES;If you need compatibility with older clients that do not support caching_sha2_password:
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YourNewStrongPassword';
FLUSH PRIVILEGES;Switch from Socket Auth to Password Auth – MariaDB 11.x
ALTER USER 'root'@'localhost' IDENTIFIED VIA mysql_native_password USING PASSWORD('YourNewStrongPassword');
FLUSH PRIVILEGES;Switch Back to Socket Auth
If you want to restore socket-based authentication (the default on most Debian/Ubuntu installs):
MySQL 8.x:
ALTER USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
FLUSH PRIVILEGES;MariaDB 11.x:
ALTER USER 'root'@'localhost' IDENTIFIED VIA unix_socket;
FLUSH PRIVILEGES;Security Notes
- Never leave skip-grant-tables running in production. Any user can connect without credentials while this flag is active. Always restart the database normally after resetting the password.
- Use –skip-networking alongside –skip-grant-tables. This disables TCP connections and limits access to local socket connections only, reducing the attack surface during the reset.
- Choose a strong password. Use at least 16 characters with a mix of uppercase, lowercase, numbers, and special characters.
- Remove the systemd override file immediately after the reset. Forgetting to remove it means MariaDB will boot without authentication every time the server restarts.
- Audit access after a reset. If the password was lost because of a compromise, check user accounts and privileges before putting the server back into production.
Troubleshooting
mysqld_safe Not Found
On some Ubuntu 24.04 and Debian 13 installations, mysqld_safe may not be included. Check if it exists:
which mysqld_safeIf it is missing, use the systemd override method (Method 2) instead. It works for both MySQL and MariaDB. For MySQL, the override file goes in /etc/systemd/system/mysql.service.d/override.conf and the binary path is /usr/sbin/mysqld:
sudo mkdir -p /etc/systemd/system/mysql.service.d
sudo tee /etc/systemd/system/mysql.service.d/override.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/sbin/mysqld --skip-grant-tables --skip-networking
EOF
sudo systemctl daemon-reload
sudo systemctl start mysqlRemember to remove the override and restart after resetting the password.
ERROR 1524 – Plugin ‘auth_socket’ is not loaded
This happens when the auth_socket plugin is not installed. Install it and try again:
INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
ALTER USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
FLUSH PRIVILEGES;ERROR 1698 – Access denied for user ‘root’@’localhost’
This typically means the root account uses socket authentication. You are connecting with mysql -u root -p but the server expects a socket connection. Use sudo mysql instead, or switch the authentication plugin to password-based as shown above.
Can’t Connect to Local MySQL Server Through Socket
The MySQL or MariaDB service is not running. Check the status and logs:
# For MySQL
sudo systemctl status mysql
sudo journalctl -u mysql -n 50 --no-pager
# For MariaDB
sudo systemctl status mariadb
sudo journalctl -u mariadb -n 50 --no-pagerCommon causes include incorrect file permissions on the data directory or AppArmor/SELinux blocking access. Check data directory ownership:
ls -la /var/lib/mysql/The directory and its contents should be owned by mysql:mysql. Fix if needed:
sudo chown -R mysql:mysql /var/lib/mysql/Password Reset Works but Reverts After Restart
This usually happens when Debian maintenance scripts override your changes. Check if the Debian maintenance user config is interfering:
sudo cat /etc/mysql/debian.cnfOn MariaDB 11.x systems, this file may contain a maintenance password. Make sure you are not confusing the maintenance user with the root user.
AppArmor Blocking mysqld_safe
On Ubuntu, AppArmor may block mysqld_safe from starting. Temporarily set the MySQL AppArmor profile to complain mode:
sudo aa-complain /usr/sbin/mysqldAfter the reset, restore it:
sudo aa-enforce /usr/sbin/mysqldConclusion
Resetting the MySQL or MariaDB root password comes down to two things – bypassing authentication temporarily and running the right SQL statement for your database version. For MySQL 8.x, use ALTER USER. For MariaDB 11.x, both ALTER USER and SET PASSWORD work but ALTER USER is the more portable choice.
The most important step is the one after the reset – making sure you remove the --skip-grant-tables flag and restart the database with full authentication enabled. Leaving it running without auth, even on a local network, is asking for trouble.
If you are managing multiple database servers, consider setting up a password manager or a secrets vault so you do not end up here again.
