MySQL Access Denied for User Error Fix: Complete Troubleshooting Guide
If you’ve spent any time working with MySQL, you’ve likely encountered the dreaded ERROR 1045 (28000): Access denied for user message. It’s one of the most common — and frustrating — errors developers face when connecting to a MySQL database.
This comprehensive guide walks you through every possible cause of this error, from the most common scenarios to edge cases that can leave you scratching your head. Whether you’re running MySQL 8.0, 8.4, or the latest 9.x release, these solutions will help you resolve the issue quickly.
Understanding the MySQL Access Denied Error
What the Error Actually Means
The Access denied for user error is MySQL’s way of telling you that authentication failed. The server received your connection request, but something about the credentials, host, or privileges didn’t match what’s stored in the system tables.
A typical error message looks like this:
ERROR 1045 (28000): Access denied for user 'myuser'@'localhost' (using password: YES)
The key information here is:
- The username MySQL received (
myuser) - The host the connection originated from (
localhost) - Whether a password was sent (
using password: YESorusing password: NO)
Pay close attention to the using password part. If it says NO when you expected YES, your application isn’t sending the password at all — which points to a connection string problem, not a password problem.
Most Common Causes and Solutions
1. Incorrect Password
This is the most frequent cause, and it’s worth verifying before diving into more complex troubleshooting.
Quick verification:
mysql -u myuser -p
Enter the password manually when prompted. If this works but your application fails, the issue is likely in how your application passes the password (special characters, encoding issues, etc.).
Resetting a user’s password (MySQL 8.0+):
-- Log in as root first
mysql -u root -p
-- Reset the password
ALTER USER 'myuser'@'localhost' IDENTIFIED BY 'NewStrongPass123!';
FLUSH PRIVILEGES;
Watch for special characters: Passwords containing @, #, /, or spaces can cause issues in connection strings and shell commands. Always URL-encode special characters in connection URLs.
For example, if your password is P@ssw0rd!, a connection string like this will fail:
# Wrong — the @ is interpreted as a host separator
conn = mysql.connect("mysql://myuser:P@ssw0rd!@localhost/mydb")
Instead, URL-encode the password:
# Correct — P%40ssw0rd%21
conn = mysql.connect("mysql://myuser:P%40ssw0rd%21@localhost/mydb")
Or better yet, pass credentials separately:
import mysql.connector
conn = mysql.connector.connect(
host="localhost",
user="myuser",
password="P@ssw0rd!",
database="mydb"
)
2. Host Mismatch — The User Exists, But Not for Your Host
MySQL grants are scoped to both username and host. A user myuser@localhost cannot connect from 192.168.1.50 — they’re effectively a different account.
Check which hosts a user can connect from:
SELECT User, Host FROM mysql.user WHERE User = 'myuser';
You might see something like:
+--------+-----------+
| User | Host |
+--------+-----------+
| myuser | localhost |
+--------+-----------+
This means myuser can only connect from the same machine running MySQL. If your application runs on a different server, the connection will be denied.
Fix — Create the user for the correct host:
-- Allow connections from any host (use cautiously in production)
CREATE USER 'myuser'@'%' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'@'%';
FLUSH PRIVILEGES;
Better practice — Restrict to a specific IP or subnet:
-- Allow only from a specific application server
CREATE USER 'myuser'@'192.168.1.50' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'@'192.168.1.50';
FLUSH PRIVILEGES;
-- Or allow a subnet
CREATE USER 'myuser'@'192.168.1.%' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'@'192.168.1.%';
FLUSH PRIVILEGES;
Important: The
%wildcard means “any host.” In production environments, always restrict this to known IP addresses for security.
3. The User Doesn’t Exist at All
Sometimes the error occurs simply because the user account was never created, was deleted, or exists in a different database server instance.
Check if the user exists:
SELECT User, Host FROM mysql.user WHERE User = 'myuser';
If the query returns no rows, the user doesn’t exist. Create it:
CREATE USER 'myuser'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.* TO 'myuser'@'localhost';
FLUSH PRIVILEGES;
4. Anonymous Users Interfering
This is a sneaky issue. MySQL has a special matching order for user accounts. If an anonymous user (empty string username) exists for a host, it can take precedence over a named user.
Check for anonymous users:
SELECT User, Host FROM mysql.user WHERE User = '';
If you find anonymous users, remove them:
DROP USER ''@'localhost';
DROP USER ''@'%';
FLUSH PRIVILEGES;
MySQL’s matching priority works like this:
- Exact host match (e.g.,
myuser@192.168.1.50) - Wildcard host patterns (e.g.,
myuser@192.168.1.%) - Broad wildcards (e.g.,
myuser@%)
Anonymous users with specific host matches can shadow named users with broader host patterns. This is why removing anonymous users often resolves mysterious access denied errors.
Intermediate-Level Causes
5. Root Account Locked or Password Expired
In MySQL 8.0 and later, the root account uses the caching_sha2_password plugin by default. Additionally, password expiration policies can lock accounts.
Check account status:
SELECT User, Host, account_locked, password_expired,
password_last_changed
FROM mysql.user
WHERE User = 'root';
Unlock an account:
ALTER USER 'root'@'localhost' ACCOUNT UNLOCK;
Reset an expired password:
ALTER USER 'myuser'@'localhost' IDENTIFIED BY 'NewPassword123!';
Disable password expiration for a user:
ALTER USER 'myuser'@'localhost' PASSWORD EXPIRE NEVER;
6. Recovering Root Access — The --skip-grant-tables Method
If you’ve locked yourself out of root entirely, you can start MySQL in a mode that skips authentication. This requires server access.
Step 1 — Stop MySQL:
# Ubuntu/Debian
sudo systemctl stop mysql
# CentOS/RHEL
sudo systemctl stop mysqld
# macOS (Homebrew)
brew services stop mysql
Step 2 — Start MySQL with --skip-grant-tables:
mysqld --skip-grant-tables --skip-networking &
The --skip-networking flag prevents remote connections during this insecure mode.
Step 3 — Connect and reset the password:
mysql -u root
FLUSH PRIVILEGES;
ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewRootPassword123!';
FLUSH PRIVILEGES;
EXIT;
Step 4 — Restart MySQL normally:
sudo systemctl start mysql
Security Warning: Never leave MySQL running with
--skip-grant-tablesin production. Use this method only for recovery, then immediately restart the service normally.
7. Authentication Plugin Mismatch
MySQL 8.0+ defaults to caching_sha2_password. Older client libraries (including some versions of PHP, Node.js, and Python connectors) may not support this plugin and produce access denied errors.
Check which plugin a user is using:
SELECT User, Host, plugin FROM mysql.user WHERE User = 'myuser';
Switch to the legacy plugin (if you must):
ALTER USER 'myuser'@'localhost' IDENTIFIED WITH mysql_native_password BY 'Password123!';
However, in MySQL 8.4+, mysql_native_password is disabled by default. You need to enable it first:
# Add to my.cnf or my.ini
[mysqld]
mysql_native_password=ON
Then restart MySQL:
sudo systemctl restart mysql
The better approach: Update your client library instead of downgrading security. Most modern drivers now support caching_sha2_password:
# Python
pip install --upgrade mysql-connector-python
# Node.js
npm install mysql2@latest
# PHP
composer require ext-mysqli
8. Connection String and Configuration Issues
Sometimes the credentials are correct, but the way they’re passed to MySQL causes the error.
Docker — Common connection issue:
When connecting to MySQL in Docker, localhost inside a container refers to the container itself, not the host machine.
# docker-compose.yml
services:
db:
image: mysql:8.4
environment:
MYSQL_ROOT_PASSWORD: rootpass123
MYSQL_DATABASE: mydb
MYSQL_USER: myuser
MYSQL_PASSWORD: userpass123
ports:
- "3306:3306"
app:
image: myapp:latest
environment:
# Wrong — "localhost" means the app container
# DB_HOST: localhost
# Correct — use the service name
DB_HOST: db
DB_USER: myuser
DB_PASSWORD: userpass123
DB_NAME: mydb
depends_on:
- db
Node.js connection example:
const mysql = require('mysql2/promise');
async function getConnection() {
try {
const connection = await mysql.createConnection({
host: process.env.DB_HOST || 'localhost',
port: process.env.DB_PORT || 3306,
user: process.env.DB_USER,
password: process.env.DB_PASSWORD,
database: process.env.DB_NAME,
// Important for MySQL 8+
authPlugins: {
caching_sha2_password: undefined
}
});
console.log('Connected to MySQL successfully');
return connection;
} catch (err) {
console.error('Connection failed:', err.message);
throw err;
}
}
Edge Cases and Advanced Scenarios
9. SELinux Blocking MySQL Connections
On CentOS, RHEL, and Fedora, SELinux can silently block network connections to MySQL without producing a clear error.
Check SELinux status:
getenforce
If it returns Enforcing, SELinux might be the culprit.
Allow MySQL network connections:
sudo setsebool -P mysql_connect_network 1
sudo setsebool -P daemons_enable_cluster_mode 1
Temporarily disable SELinux for testing:
sudo setenforce 0
If the error disappears with SELinux disabled, you’ve found the cause. Re-enable it and configure the proper policies.
10. Firewall Blocking the Connection
The connection might be blocked before it even reaches MySQL.
Check if MySQL is listening:
sudo ss -tlnp | grep 3306
On Ubuntu/Debian (UFW):
sudo ufw allow 3306/tcp
sudo ufw status
On CentOS/RHEL (firewalld):
sudo firewall-cmd --permanent --add-port=3306/tcp
sudo firewall-cmd --reload
11. MySQL bind-address Configuration
By default, MySQL may only listen on 127.0.0.1, preventing remote connections entirely.
Check the current bind-address:
sudo grep bind-address /etc/mysql/mysql.conf.d/mysqld.cnf
Allow remote connections:
# /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
bind-address = 0.0.0.0
Then restart:
sudo systemctl restart mysql
For production, bind to a specific internal IP instead of 0.0.0.0.
12. SSL/TLS Requirements
MySQL can require SSL connections, and non-SSL clients will receive access denied errors.
Check SSL requirements:
SELECT User, Host, ssl_type FROM mysql.user WHERE User = 'myuser';
Require SSL for a user:
ALTER USER 'myuser'@'%' REQUIRE SSL;
Remove SSL requirement:
ALTER USER 'myuser'@'%' REQUIRE NONE;
FLUSH PRIVILEGES;
Connect with SSL in Python:
import mysql.connector
import ssl
ssl_context = ssl.create_default_context(
ca='/path/to/ca.pem'
)
conn = mysql.connector.connect(
host='db.example.com',
user='myuser',
password='SecurePass123!',
database='mydb',
ssl_ca='/path/to/ca.pem',
ssl_verify_cert=True
)
13. MySQL 9.x — New Authentication Defaults
MySQL 9.x introduced changes to default authentication. The mysql_native_password plugin is fully removed, and caching_sha2_password is mandatory for new installations.
If you’re upgrading from MySQL 5.7 or 8.0, existing users with mysql_native_password will fail to authenticate after upgrade.
Fix after upgrading to MySQL 9.x:
-- Update all users to caching_sha2_password
UPDATE mysql.user
SET plugin = 'caching_sha2_password'
WHERE plugin = 'mysql_native_password';
-- Then reset their passwords
ALTER USER 'myuser'@'localhost' IDENTIFIED BY 'NewPassword123!';
FLUSH PRIVILEGES;
14. Max Connection Errors — Host Blocked
MySQL blocks a host after too many connection failures (controlled by max_connect_errors). This produces an error that looks similar to access denied.
Check the threshold:
SHOW VARIABLES LIKE 'max_connect_errors';
Unblock a host:
FLUSH HOSTS;
Increase the threshold permanently:
# my.cnf or my.ini
[mysqld]
max_connect_errors = 100000
15. Cloud Database — Managed MySQL Restrictions
If you’re using AWS RDS, Google Cloud SQL, or Azure Database for MySQL, some operations require platform-level changes:
- You cannot use
SUPERprivilege on RDS — userds_superuserrole instead - Some
GRANTstatements require parameter group changes - IAM authentication on RDS uses temporary tokens, not passwords
AWS RDS IAM authentication example (Python):
import boto3
import mysql.connector
def get_rds_token():
client = boto3.client('rds')
token = client.generate_db_auth_token(
DBHostname='mydb.cluster-xxx.us-east-1.rds.amazonaws.com',
Port=3306,
DBUsername='myuser'
)
return token
conn = mysql.connector.connect(
host='mydb.cluster-xxx.us-east-1.rds.amazonaws.com',
user='myuser',
password=get_rds_token(),
database='mydb',
ssl_ca='rds-ca-2019-root.pem'
)
Debugging Checklist
When you encounter the Access denied error, work through this checklist systematically:
#!/bin/bash
# MySQL connection diagnostic script
echo "=== MySQL Connection Diagnostic ==="
# 1. Check if MySQL is running
echo "1. Checking MySQL service status..."
systemctl is-active mysql || systemctl is-active mysqld
# 2. Check if port 3306 is listening
echo "2. Checking port 3306..."
ss -tlnp | grep 3306
# 3. Test local connection
echo "3. Testing local root connection..."
mysql -u root -p -e "SELECT 'Connection successful' AS status;" 2>&1
# 4. Check user hosts
echo "4. Listing user accounts..."
mysql -u root -p -e "SELECT User, Host, plugin FROM mysql.user;" 2>&1
# 5. Check for anonymous users
echo "5. Checking for anonymous users..."
mysql -u root -p -e "SELECT User, Host FROM mysql.user WHERE User = '';" 2>&1
# 6. Check max_connect_errors
echo "6. Checking blocked hosts..."
mysql -u root -p -e "SHOW VARIABLES LIKE 'max_connect_errors';" 2>&1
echo "=== Diagnostic Complete ==="