How to Reset the MySQL Root Password

Losing the MySQL root password is one of those problems that feels like a disaster until you remember the grant-tables shortcut. With a short service restart and one ALTER USER statement, you can set a new password and get back to work.

This guide explains how to reset the MySQL or MariaDB root password from the command line on Linux, covering MySQL 8.0, MySQL 5.7, and MariaDB.

Try sudo mysql First #

On recent Debian and Ubuntu installations, the MySQL root account authenticates through the auth_socket plugin instead of a password. If that is your setup, you do not need to reset anything. Open the shell as the operating system root user:

sudo mysql

If you land on the mysql> prompt without being asked for a password, the account is using auth_socket. You can set or change the password directly from there:

ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'NEW_ROOT_PASSWORD';
FLUSH PRIVILEGES;

If sudo mysql also fails with an access-denied error, continue with the recovery steps below.

Identify the Server Version #

The correct ALTER USER syntax depends on the server version. You can check your server version by running:

mysql --version

For MySQL, the output will look something like this:

mysql  Ver 8.0.39-0ubuntu0.24.04.2 for Linux on x86_64 ((Ubuntu))

For MariaDB, the output looks similar to:

mysql  Ver 15.1 Distrib 10.11.6-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Note the version before you continue. MySQL 8.0, MySQL 5.7.6 and later, and MariaDB 10.1.20 and later share the same ALTER USER syntax. Older releases need a different statement.

Reset the MySQL or MariaDB Root Password #

The recovery procedure tells the database server to start without loading the grant tables, which lets you connect as root without a password and set a new one.

1. Stop the MySQL or MariaDB Service #

Stop the running database server before you start it again in recovery mode:

sudo systemctl stop mysql

The service name varies across distributions. On Fedora, RHEL, and derivatives the MySQL service is usually called mysqld, and on systems running MariaDB it is mariadb. If mysql is not recognized, try one of the alternatives:

sudo systemctl stop mysqld
sudo systemctl stop mariadb

2. Start the Server Without the Grant Tables #

Start the database server with the grant tables disabled and networking turned off. Skipping networking prevents remote connections from reaching the server while it is open:

sudo mysqld --user=mysql --skip-grant-tables --skip-networking &

The --user=mysql option tells the server to drop privileges and run as the database service account instead of as root, which is how package-managed MySQL and MariaDB installations normally run on Linux. The ampersand & at the end of the command puts the process in the background so you can keep using the shell. While the server is running in this mode, anyone with local access can connect with full privileges, so finish the reset as soon as possible.

On older systems you may still see mysqld_safe in recovery tutorials. The command below is the equivalent for those setups:

sudo mysqld_safe --user=mysql --skip-grant-tables --skip-networking &

3. Connect to the MySQL Shell #

Now connect to the server as the root user. No password is required:

mysql -u root

4. Reload the Grant Tables #

When the server is running with --skip-grant-tables, account-management statements such as ALTER USER are disabled. Re-enable them for this session by flushing the privileges:

FLUSH PRIVILEGES;

5. Set a New Root Password #

On MySQL 8.0, MySQL 5.7.6 and later, and MariaDB 10.1.20 and later, set the new password with ALTER USER:

ALTER USER 'root'@'localhost' IDENTIFIED BY 'NEW_ROOT_PASSWORD';
FLUSH PRIVILEGES;

On MySQL 8.0 you can also pin the authentication plugin explicitly:

ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'NEW_ROOT_PASSWORD';
FLUSH PRIVILEGES;

On MySQL 5.7.5 and earlier, or MariaDB 10.1.19 and earlier, use the legacy SET PASSWORD syntax:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('NEW_ROOT_PASSWORD');
FLUSH PRIVILEGES;

A successful statement returns the following output:

Query OK, 0 rows affected (0.00 sec)

Exit the shell with \q once the new password is set.

6. Restart the Database Server #

The recovery instance started with --skip-grant-tables still needs to be stopped before a normal start. If you launched it with mysqld_safe, stop the wrapper first so it does not restart the server in the background:

sudo pkill mysqld_safe

Then stop the recovery mysqld process and start the service through systemd:

sudo pkill mysqld
sudo systemctl start mysql

If you are running MariaDB, start the corresponding unit:

sudo systemctl start mariadb

7. Verify the New Password #

Log in with the new root password to confirm the reset worked:

mysql -u root -p

Enter the password when prompted. You should land on the mysql> prompt without an access-denied error.

Troubleshooting #

ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option
The privilege system is off, so ALTER USER is rejected. Run FLUSH PRIVILEGES; first, then run the ALTER USER statement again in the same session.

ERROR 1054 (42S22): Unknown column 'password' in 'field list'
You are editing mysql.user directly on a newer server that stores credentials in authentication_string. Use ALTER USER instead of UPDATE mysql.user.

The recovery server starts again after sudo pkill mysqld
If you launched recovery with mysqld_safe, the wrapper will restart mysqld when the child exits. Stop mysqld_safe first, then stop mysqld, and start the service through systemd.

Access denied for root@localhost after the reset
On Debian and Ubuntu the root account may still be tied to the auth_socket plugin. Re-run the ALTER USER statement with IDENTIFIED WITH caching_sha2_password BY '...' (or mysql_native_password on older clients) to switch to password authentication.

FAQ #

How do I reset the root password on Ubuntu when mysql -u root -p does not work?
Ubuntu ships MySQL with the auth_socket plugin, so the root account ignores passwords by default. Open the shell with sudo mysql, then run ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'new_password';. If even sudo mysql fails, follow the --skip-grant-tables recovery above.

Is the PASSWORD() function still needed?
No. PASSWORD() was deprecated in MySQL 5.7 and removed in MySQL 8.0. Pass the new password as a plain quoted string: ALTER USER 'root'@'localhost' IDENTIFIED BY 'secret';.

Does the same procedure work on MariaDB?
Yes. MariaDB 10.1.20 and later accept the same ALTER USER ... IDENTIFIED BY syntax. Older MariaDB builds still use SET PASSWORD FOR 'root'@'localhost' = PASSWORD('new_password');.

Why should I include --skip-networking?
While the server runs without the grant tables, any local account can connect with full privileges. --skip-networking blocks remote connections during the short window the server is exposed.

Conclusion #

Resetting a lost MySQL or MariaDB root password comes down to starting the server without the grant tables, flushing privileges, and running a single ALTER USER statement. If you also need to manage day-to-day accounts, see our guide on managing MySQL databases and users .

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page