Encountering ERROR 1045 (28000): Access denied for user 'root'@'localhost' can be frustrating. This common issue often appears after a server reboot, an update, or a configuration change when you're trying to connect to your MySQL or MariaDB instance.
Essentially, this error means your root user authentication has failed, typically due to an incorrect password or incorrect host permissions. This guide offers immediate fixes and detailed troubleshooting steps to help you quickly regain access to your database.
TL;DR Quick Fix: Reset Root Password
In most cases, this error stems from an incorrect password for the root user. The fastest way to resolve it is by resetting the root password. This process requires stopping the MySQL service, restarting it in a special mode to bypass authentication, updating the password, and then bringing the service back online normally.
For Ubuntu/Debian-based systems:
# 1. Stop the MySQL/MariaDB service
sudo systemctl stop mysql
# 2. Start MySQL in safe mode (skip grant tables)
# Create a temporary directory for the MySQL socket if it doesn't exist or is permission-denied
sudo mkdir -p /var/run/mysqld
sudo chown -R mysql:mysql /var/run/mysqld
sudo mysqld_safe --skip-grant-tables --skip-networking &
# Wait a few seconds for the service to start
sleep 5
# 3. Connect to MySQL as root without a password
mysql -u root
# Inside the MySQL prompt, update the password:
# For MySQL 8.x:
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewSecurePasswordHere';
FLUSH PRIVILEGES;
# For MySQL 5.7+ or MariaDB (using authentication_string):
UPDATE mysql.user SET authentication_string=PASSWORD('YourNewSecurePasswordHere') WHERE User='root' AND Host='localhost';
FLUSH PRIVILEGES;
# For older MySQL (5.6 and below) or specific MariaDB setups (using Password column):
# UPDATE mysql.user SET Password=PASSWORD('YourNewSecurePasswordHere') WHERE User='root' AND Host='localhost';
# FLUSH PRIVILEGES;
# 4. Exit MySQL and stop the safe mode process
exit
sudo pkill mysqld_safe
# 5. Start the MySQL service normally
sudo systemctl start mysql
# 6. Verify the fix
mysql -u root -p
# Enter 'YourNewSecurePasswordHere' when prompted.
For CentOS/RHEL-based systems:
# 1. Stop the MySQL/MariaDB service
sudo systemctl stop mysqld
# 2. Start MySQL in safe mode
sudo mkdir -p /var/run/mysqld
sudo chown -R mysql:mysql /var/run/mysqld
sudo mysqld_safe --skip-grant-tables --skip-networking &
# Wait a few seconds
sleep 5
# 3. Connect to MySQL as root without a password
mysql -u root
# Inside the MySQL prompt (same as above):
# For MySQL 8.x:
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewSecurePasswordHere';
FLUSH PRIVILEGES;
# For MySQL 5.7+ or MariaDB (using authentication_string):
UPDATE mysql.user SET authentication_string=PASSWORD('YourNewSecurePasswordHere') WHERE User='root' AND Host='localhost';
FLUSH PRIVILEGES;
# 4. Exit MySQL and stop the safe mode process
exit
sudo pkill mysqld_safe
# 5. Start the MySQL service normally
sudo systemctl start mysqld
# 6. Verify the fix
mysql -u root -p
# Enter 'YourNewSecurePasswordHere' when prompted.
Important: Replace YourNewSecurePasswordHere with a strong, unique password. Aim for a password that is at least 12-16 characters long, combining uppercase and lowercase letters, numbers, and symbols for maximum security.
Detailed Root Cause
When the MySQL server encounters ERROR 1045 (28000): Access denied for user 'root'@'localhost', it's explicitly refusing a connection attempt. This usually happens because the authentication details provided by your client (like username, password, and the connecting host) don't match any entries in MySQL's grant tables that would allow access.
Common reasons include:
- Incorrect Password: This is by far the most frequent cause. Often, you might simply be providing the wrong password for the
rootuser. This can result from typos, forgetting a recently changed password, or if a password update wasn't correctly reflected in your application's connection strings. - User Not Configured for Host: MySQL's user accounts are identified by both a username AND a host.
root@localhostis a distinct user fromroot@192.168.1.100orroot@%(any host). If you're trying to connect from a remote machine, but therootuser is only defined forlocalhost, you'll get this error. - Corrupted Grant Tables: While less common, this is still a possibility. The
mysql.usertable, or other related grant tables, could be corrupted or even missing the criticalrootentry.
Fix Approaches
While resetting the password is the most common fix, other scenarios can lead to this error. Let's explore more robust solutions for those situations.
1. Resetting the Root Password (In-Depth)
This is the primary fix, detailed with an explanation of each step.
Step 1: Stop the MySQL/MariaDB Service
Ensure the database service is stopped cleanly.
# For systemd-based systems (Ubuntu, Debian, CentOS 7+, RHEL 7+)
sudo systemctl stop mysql # or mariadb, mysqld
# For older systems (SysVinit)
sudo service mysql stop # or mariadb, mysqld
Step 2: Start MySQL in Safe Mode (Bypass Authentication)
To gain access, you need to start MySQL with --skip-grant-tables. This special mode allows you to connect as root without needing a password. We also add --skip-networking as a crucial security measure, preventing any external connections while the database is in this vulnerable state.
# Ensure /var/run/mysqld exists with correct permissions
sudo mkdir -p /var/run/mysqld
sudo chown -R mysql:mysql /var/run/mysqld
sudo mysqld_safe --skip-grant-tables --skip-networking &
# Wait a few seconds for the service to initialize
sleep 5
Step 3: Connect to MySQL as Root and Update Password
Connect without a password and execute the appropriate ALTER USER or UPDATE command.
mysql -u root
Inside the MySQL prompt:
For MySQL 8.0+:
ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewSecurePassword!';
FLUSH PRIVILEGES;
For MySQL 5.7+ and MariaDB (using authentication_string):
UPDATE mysql.user SET authentication_string=PASSWORD('YourNewSecurePassword!') WHERE User='root' AND Host='localhost';
FLUSH PRIVILEGES;
For older MySQL versions (5.6 and below) or specific MariaDB setups (using Password column):
UPDATE mysql.user SET Password=PASSWORD('YourNewSecurePassword!') WHERE User='root' AND Host='localhost';
FLUSH PRIVILEGES;
Remember to replace YourNewSecurePassword! with a strong, unique password. After executing the command, type exit to leave the MySQL prompt.
Step 4: Stop the Safe Mode MySQL Process
Terminate the insecure mysqld_safe process.
sudo pkill mysqld_safe
# If needed, find PID: ps aux | grep mysql | grep 'skip-grant-tables' | awk '{print $2}' | xargs sudo kill
Step 5: Start the MySQL Service Normally
sudo systemctl start mysql # or mariadb, mysqld
2. Addressing Host-Specific Access Issues
If you're connecting from a remote machine and the root user is only defined for localhost, you'll receive the access denied error. MySQL user accounts are tied to both username and host.
If you need to allow root access from any host (which is less secure and should be used with extreme caution in production environments) or from a specific IP address, follow these steps:
First, ensure you can connect as root@localhost (using the password reset if necessary). Then, inside the MySQL client:
Allow root from any host (%) (MySQL 8.x):
ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY 'YourSuperStrongPassword!'; -- Optional: change plugin for compatibility
CREATE USER 'root'@'%' IDENTIFIED BY 'YourSuperStrongPassword!';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Allow root from any host (%) (MySQL 5.x / MariaDB):
UPDATE mysql.user SET Host='%' WHERE User='root' AND Host='localhost';
FLUSH PRIVILEGES;
-- If password needs re-setting after host change:
-- UPDATE mysql.user SET authentication_string=PASSWORD('YourSuperStrongPassword!') WHERE User='root' AND Host='%' ;
-- FLUSH PRIVILEGES;
Best Practice: Create dedicated, less privileged users for remote access and specific applications instead of using root remotely.
CREATE USER 'your_admin'@'your_remote_ip' IDENTIFIED BY 'StrongPassword!';
GRANT ALL PRIVILEGES ON *.* TO 'your_admin'@'your_remote_ip' WITH GRANT OPTION;
FLUSH PRIVILEGES;
3. Verifying Grant Tables or Missing Root User
In rare cases, the mysql.user table might be corrupted or the root user entry could be missing. Connect in safe mode (mysql -u root) and then:
USE mysql;
SELECT user, host, authentication_string, plugin FROM user WHERE user='root';
If the root user is missing or the output indicates corruption, further investigation into your MySQL installation might be needed. Avoid mysql_install_db or data directory re-initialization without a full backup, as this can lead to data loss.
Verification Steps
Once you've applied a fix, it's essential to confirm that you can connect successfully. Here's how to verify:
- Attempt connection from the server:
mysql -u root -p
# Enter your new password.
If successful, you'll see the MySQL prompt (mysql>).
- Attempt connection from a remote client (if applicable):
mysql -h your_mysql_server_ip -u root -p
# Enter your new password.
- Run a simple query: Once connected, run a basic query to confirm everything is operational:
SHOW DATABASES;
This confirms both successful access and basic database functionality. If you see your databases listed, you've successfully resolved the issue!
Further Reading
For more in-depth understanding of MySQL user management and security, refer to the official documentation: