Why MySQL Is Blocking Your Queries
You just finished installing MySQL 8.0 or perhaps manually reset your root credentials. Everything seems fine until you log in with that messy temporary password. You try to run a simple SHOW DATABASES; command, but the server pushes back with a frustrating message:
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
MySQL triggers this lock because it marks the initial or reset password as "expired" for security. Think of it as a forced safety check. Until you set a permanent password, the server stays in a restricted sandbox mode, preventing almost all administrative tasks.
The Debugging Process
The server is essentially waiting for one specific command to prove the account is secure. On Linux distributions like Ubuntu or CentOS, you probably grabbed your initial password from the error log using this command:
sudo grep 'temporary password' /var/log/mysqld.log
That temporary string is only meant for a single login. Internally, MySQL checks the password_expired column in the mysql.user system table. If that value is 'Y', you are stuck in this restricted shell until you update the credentials.
The Solution
Fixing this takes less than a minute. You need to tell MySQL exactly what your new, permanent password will be.
Step 1: Run the ALTER USER Command
While inside the MySQL shell, execute the following statement. Make sure to replace 'YourNewStrongPassword123!' with a secure string of your choice.
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewStrongPassword123!';
This syntax works for all modern versions, including MySQL 5.7 and 8.0. Once executed, the "expired" flag clears immediately.
Step 2: Troubleshooting Password Policy Errors
Sometimes, your chosen password isn't strong enough for MySQL's default security plugin. You might see this instead:
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
By default, MySQL 8.0 requires at least 8 characters, including one uppercase letter, one lowercase letter, one number, and one special character. If you need a compliant string quickly, try the Password Generator on ToolCraft. It creates high-entropy passwords that pass these checks every time.
Working on a local development machine? You can temporarily lower the strictness if you prefer a simpler password:
-- For MySQL 8.x
SET GLOBAL validate_password.policy=LOW;
-- For MySQL 5.7
SET GLOBAL validate_password_policy=LOW;
Step 3: Finalize and Verify
While ALTER USER usually applies changes instantly, it never hurts to refresh the internal grant tables. Run this to be certain:
FLUSH PRIVILEGES;
Now, test your access. Try running SHOW DATABASES; again. If the list of system schemas appears, you have successfully unlocked the account. Exit the shell and log back in with your new password to confirm the change is persistent.
Lessons for Next Time
- Sandbox Mode: When a password expires, MySQL enters a restricted state that only accepts account management commands.
- Temporary Credentials: Never use temporary passwords for production scripts. They are designed for a one-time setup only.
- Automation Tip: If you use Ansible or Docker to deploy databases, include an
ALTER USERstep in your bootstrap scripts to prevent automation workflows from hanging on this error.