Mysql：set password

Posted 2021-03-06 数据库探索

13.7.1.10 SET PASSWORD Statement

SET PASSWORD [FOR user] auth_option
    [REPLACE ‘current_auth_string‘]
    [RETAIN CURRENT PASSWORD]

auth_option: {
    = ‘auth_string‘
  | TO RANDOM
}

The SET PASSWORD statement assigns a password to a mysql user account. The password may be either explicitly specified in the statement or randomly generated by MySQL. The statement may also include a password-verification clause that specifies the account current password to be replaced, and a clause that manages whether an account has a secondary password. ‘auth_string‘ and ‘current_auth_string‘ each represent a cleartext (unencrypted) password.

Note

Rather than using SET PASSWORD to assign passwords, ALTER USER is the preferred statement for account alterations, including assigning passwords. For example:

ALTER USER user IDENTIFIED BY ‘auth_string‘;

Note

Clauses for random password generation, password verification, and secondary passwords apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. For more information about internal credentials storage, see Section 6.2.15, “Password Management”.

The REPLACE ‘current_auth_string‘ clause performs password verification and is available as of MySQL 8.0.13. If given:

• REPLACE specifies the account current password to be replaced, as a cleartext (unencrypted) string.

• The clause must be given if password changes for the account are required to specify the current password, as verification that the user attempting to make the change actually knows the current password.

• The clause is optional if password changes for the account may but need not specify the current password.

• The statement fails if the clause is given but does not match the current password, even if the clause is optional.

• REPLACE can be specified only when changing the account password for the current user.

For more information about password verification by specifying the current password, see Section 6.2.15, “Password Management”.

The RETAIN CURRENT PASSWORD clause implements dual-password capability and is available as of MySQL 8.0.14. If given:

• RETAIN CURRENT PASSWORD retains an account current password as its secondary password, replacing any existing secondary password. The new password becomes the primary password, but clients can use the account to connect to the server using either the primary or secondary password. (Exception: If the new password specified by the SET PASSWORD statement is empty, the secondary password becomes empty as well, even if RETAIN CURRENT PASSWORD is given.)

• If you specify RETAIN CURRENT PASSWORD for an account that has an empty primary password, the statement fails.

• If an account has a secondary password and you change its primary password without specifying RETAIN CURRENT PASSWORD, the secondary password remains unchanged.

For more information about use of dual passwords, see Section 6.2.15, “Password Management”.

SET PASSWORD permits these auth_option syntaxes:

• = ‘auth_string‘

  Assigns the account the given literal password.

• TO RANDOM

  Assigns the account a password randomly generated by MySQL. The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement.

  For details about the result set and characteristics of randomly generated passwords, see Random Password Generation.

  Random password generation is available as of MySQL 8.0.18.

Important

Under some circumstances, SET PASSWORD may be recorded in server logs or on the client side in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information. For information about the conditions under which this occurs for the server logs and how to control it, see Section 6.1.2.3, “Passwords and Logging”. For similar information about client-side logging, see Section 4.5.1.3, “mysql Client Logging”.

SET PASSWORD can be used with or without a FOR clause that explicitly names a user account:

• With a FOR user clause, the statement sets the password for the named account, which must exist:

  SET PASSWORD FOR ‘jeffrey‘@‘localhost‘ = ‘auth_string‘;
  

• With no FOR user clause, the statement sets the password for the current user:

  SET PASSWORD = ‘auth_string‘;
  

  Any client who connects to the server using a nonanonymous account can change the password for that account. (In particular, you can change your own password.) To see which account the server authenticated you as, invoke the CURRENT_USER() function:

  SELECT CURRENT_USER();

If a FOR user clause is given, the account name uses the format described in Section 6.2.4, “Specifying Account Names”. For example:

SET PASSWORD FOR ‘bob‘@‘%.example.org‘ = ‘auth_string‘;

The host name part of the account name, if omitted, defaults to ‘%‘.

SET PASSWORD interprets the string as a cleartext string, passes it to the authentication plugin associated with the account, and stores the result returned by the plugin in the account row in the mysql.user system table. (The plugin is given the opportunity to hash the value into the encryption format it expects. The plugin may use the value as specified, in which case no hashing occurs.)

Setting the password for a named account (with a FOR clause) requires the UPDATE privilege for the mysql system schema. Setting the password for yourself (for a nonanonymous account with no FOR clause) requires no special privileges.

Statements that modify secondary passwords require these privileges:

• The APPLICATION_PASSWORD_ADMIN privilege is required to use the RETAIN CURRENT PASSWORD clause for SET PASSWORD statements that apply to your own account. The privilege is required to manipulate your own secondary password because most users require only one password.

• If an account is to be permitted to manipulate secondary passwords for all accounts, it should be granted the CREATE USER privilege rather than APPLICATION_PASSWORD_ADMIN.

When the read_only system variable is enabled, SET PASSWORD requires the CONNECTION_ADMIN or SUPER privilege in addition to any other required privileges.

For additional information about setting passwords and authentication plugins, see Section 6.2.14, “Assigning Account Passwords”, and Section 6.2.17, “Pluggable Authentication”.

 

 

 

 

mysql> help set password
Name: ‘SET PASSWORD‘
Description:
Syntax:
SET PASSWORD [FOR user] { = ‘auth_string‘| TO RANDOM }
    [REPLACE ‘current_auth_string‘]
    [RETAIN CURRENT PASSWORD]


The SET PASSWORD statement assigns a password to a MySQL user account.
The password may be either explicitly specified in the statement or randomly generated by MySQL.
The statement may also include a password-verification clause 【REPLACE】 that specifies the account current password to be replaced, and a clause 【RETAIN】that manages whether an account has a secondary password.
‘auth_string‘ and ‘current_auth_string‘ each represent a cleartext (unencrypted) password.

#-----------------------------------------------------

*Note*:
ALTER USER is the preferred statement for account alterations, including assigning passwords.
For example:
    ALTER USER user IDENTIFIED BY ‘auth_string‘;

*Note*:
Clauses for random password generation, password verification, and secondary passwords apply only to accounts that use an authentication plugin that stores credentials internally to MySQL.
For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well.
For more information about internal credentials storage, see:
    https://dev.mysql.com/doc/refman/8.0/en/password-management.html.

#-----------------------------------------------------

The REPLACE ‘current_auth_string‘ clause performs password verification
and is available as of MySQL 8.0.13. If given:

o REPLACE specifies the account current password to be replaced, as a
  cleartext (unencrypted) string.

o REPLACE can be specified only when changing the account password for
  the current user.

o The statement fails if the clause is given but does not match the
  current password, even if the clause is optional.
 
o The clause is optional if password changes for the account may but
  need not specify the current password.

o The clause can be given if password changes for the account are
  required to specify the current password, as verification that the
  user attempting to make the change actually knows the current
  password.

For more information about password verification by specifying the
current password, see：
    https://dev.mysql.com/doc/refman/8.0/en/password-management.html.

#-----------------------------------------------------

The RETAIN CURRENT PASSWORD clause implements dual-password capability
and is available as of MySQL 8.0.14. If given:

o If you specify RETAIN CURRENT PASSWORD for an account that has an
  empty primary password, the statement fails.

o If an account has a secondary password and you change its primary
  password without specifying RETAIN CURRENT PASSWORD, the secondary
  password remains unchanged.

o RETAIN CURRENT PASSWORD retains an account current password as its
  secondary password, replacing any existing secondary password. The
  new password becomes the primary password, but clients can use the
  account to connect to the server using either the primary or
  secondary password. (Exception: If the new password specified by the
  SET PASSWORD statement is empty, the secondary password becomes empty
  as well, even if RETAIN CURRENT PASSWORD is given.)

For more information about use of dual passwords, see：
    https://dev.mysql.com/doc/refman/8.0/en/password-management.html.

#-----------------------------------------------------

SET PASSWORD permits these auth_option syntaxes:

o = ‘auth_string‘
  Assigns the account the given literal password.

o TO RANDOM
  Random password generation is available as of MySQL 8.0.18.
 
  Assigns the account a password randomly generated by MySQL. The
  statement also returns the cleartext password in a result set to make
  it available to the user or application executing the statement.

  For details about the result set and characteristics of randomly
  generated passwords, see：
    https://dev.mysql.com/doc/refman/8.0/en/password-management.html#random-password-generation.

#-----------------------------------------------------

*Important*:

Under some circumstances, SET PASSWORD may be recorded in server logs or on the client side in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information.
For information about the conditions under which this occurs for the server logs and how to control it, see：
    https://dev.mysql.com/doc/refman/8.0/en/password-logging.html.
For information about client-side logging, see：
    https://dev.mysql.com/doc/refman/8.0/en/mysql-logging.html.

#-----------------------------------------------------

SET PASSWORD can be used with or without a FOR clause that explicitly names a user account:

o With no FOR user clause, the statement sets the password for the   current user:
    SET PASSWORD = ‘auth_string‘;

  Any client who connects to the server using a nonanonymous account can change the password for that account. (In particular, you can change your own password.)
  To see which account the server authenticated you as, invoke the CURRENT_USER() function:
        SELECT CURRENT_USER();

o With a FOR user clause, the statement sets the password for the named   account, which must exist:
    SET PASSWORD FOR ‘jeffrey‘@‘localhost‘ = ‘auth_string‘;

If a FOR user clause is given, the account name uses the format described in：
    https://dev.mysql.com/doc/refman/8.0/en/account-names.html.
For example:
    SET PASSWORD FOR ‘bob‘@‘%.example.org‘ = ‘auth_string‘;

The host name part of the account name, if omitted, defaults to ‘%‘.

#-----------------------------------------------------

SET PASSWORD interprets the string as a cleartext string, passes it to
the authentication plugin associated with the account, and stores the
result returned by the plugin in the account row in the mysql.user system table.
(The plugin is given the opportunity to hash the value into the encryption format it expects.
The plugin may use the value as specified, in which case no hashing occurs.)

#-----------------------------------------------------

Setting the password for a named account (with a FOR clause) requires
the UPDATE privilege for the mysql system schema. Setting the password
for yourself (for a nonanonymous account with no FOR clause) requires
no special privileges.

Statements that modify secondary passwords require these privileges:

o The APPLICATION_PASSWORD_ADMIN privilege is required to use the
  RETAIN CURRENT PASSWORD clause for SET PASSWORD statements that apply
  to your own account. The privilege is required to manipulate your own
  secondary password because most users require only one password.

o If an account is to be permitted to manipulate secondary passwords
  for all accounts, it should be granted the CREATE USER privilege
  rather than APPLICATION_PASSWORD_ADMIN.

When the read_only system variable is enabled, SET PASSWORD requires
the CONNECTION_ADMIN or SUPER privilege in addition to any other required privileges.

URL: https://dev.mysql.com/doc/refman/8.0/en/set-password.html