EmergencyEMERGENCY? Get 24/7 Help Now!

Where is the MySQL 5.7 root password?

 | May 18, 2016 |  Posted In: MySQL


MySQL 5.7 root passwordIn this blog, we’ll discuss how to find the MySQL 5.7 root password.

While new MySQL software security features are always welcome, they can impact use and performance. Now by default, MySQL 5.7 creates a password for the root user (among other changes) so the installation itself can be considered secure. It’s a necessary change, but it has confused some customers and users. I see a lot of people on social networks (like Twitter) asking about this change.

Where is my root password?

The answer depends on the way you have installed MySQL 5.7 or Percona Server 5.7. I am going to show where to find the password depending on the installation method and the distribution used. For all these examples, I assume this is a new installation and you are using the default my.cnf.

Centos/Redhat – RPM Packages.

The password is not shown on screen during the installation. It is in the error log. The autogenerated my.cnf contains this line:

So, there is our password:


During the packages installation, you get a prompt asking for the root password. If you don’t set it up, MySQL’s root user is created without a password. We can read the following line in package installation output:

but it is configured with the auth_socket plugin. You will only be able to connect using the UNIX socket, therefore any attempt to connect using your local IP or the network fails. Later on, you can change the password to allow connections from the network (as explained in this blog post).

All distributions – Binary tarball

mysql_install_db has been deprecated since MySQL 5.7.6. You need to use mysqld to initialize all system databases (like mysql, it contains the users and password). You have two ways of doing it:

–initialize: this is the default and recommended option. It will create a mysql database including a random password that will be written in the error log.

If you don’t have error-log directive configured, or any my.cnf at all, then it will be in the datadir with host_name.err name.

–initialize-insecure: datadir will be initialized without setting a random password to the root user.


Unfortunately, more security can also add more confusion. Depending on the installation method and distribution, the MySQL 5.7 root password process varies a lot, so keep an eye on the error log after every installation and also watch the installation process output shown on screen. In case you are really lost (or you have removed the error log for some reason), you can still start mysqld with --skip-grant-tables to access the database and change the password.

Miguel Angel Nieto

Miguel joined Percona in October 2011. He has worked as a System Administrator for a Free Software consultant and in the supporting area of the biggest hosting company in Spain. His current focus is improving MySQL and helping the community of Free Software to grow.


  • very good post , i met a problem when i deploy muti instance on one host . and one my.cnf pre instance .
    initialize like this .
    /usr/local/mysql/bin/mysqld –initialize-insecure –basedir=/usr/local/mysql –datadir=/data/mysql3307/data
    /usr/local/mysql/bin/mysqld –initialize-insecure –basedir=/usr/local/mysql –datadir=/data/mysql3307/data
    . i start the 3306 instance ok . and can run normally , but when i start the second one , i met the error :

    2016-05-26T07:45:31.654495Z 0 [Note] Plugin ‘FEDERATED’ is disabled.
    mysqld: Table ‘mysql.plugin’ doesn’t exist
    2016-05-26T07:45:31.654667Z 0 [ERROR] Can’t open the mysql.plugin table. Please run mysql_upgrade to create it.
    2016-05-26T07:45:31.658189Z 0 [Warning] Gtid table is not ready to be used. Table ‘mysql.gtid_executed’ cannot be opened.
    2016-05-26T07:45:31.660458Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
    2016-05-26T07:45:31.660471Z 0 [Note] Skipping generation of SSL certificates as certificate files are present in data directory.
    2016-05-26T07:45:31.667197Z 0 [Warning] CA certificate ca.pem is self signed.
    2016-05-26T07:45:31.667260Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
    2016-05-26T07:45:31.667353Z 0 [Note] Server hostname (bind-address): ‘*’; port: 3307
    2016-05-26T07:45:31.668472Z 0 [Note] IPv6 is not available.
    2016-05-26T07:45:31.668549Z 0 [Note] – ‘’ resolves to ‘’;
    2016-05-26T07:45:31.668562Z 0 [Note] Server socket created on IP: ‘’.
    2016-05-26T07:45:31.669633Z 0 [Warning] Failed to open optimizer cost constant tables

    2016-05-26T07:45:31.669709Z 0 [ERROR] Fatal error: Can’t open and lock privilege tables: Table ‘mysql.user’ doesn’t exist
    2016-05-26T07:45:31.669746Z 0 [ERROR] Aborting

    Do you know how to solve this problem , thanks.

  • Is there any way around this? I use Puppet to install Percona 5.6 and want to use 5.7 but Puppet will not work because it randomly generates a password, so it can’t connect to configure all the custom permissions we’ve defined.

  • In my case it is not writing anything to /var/log/mysqld.log.
    After some digging, I have found that if I run “/etc/init.d/mysql start”, the temporary password gets printed in the stdout. So I actually had to run the following to be able to follow the official documentation:

    /etc/init.d/mysql start > /var/log/mysqld.log 2>&1

    I dont know why is it different in my case, I am running a Amazon linux based image in Docker.
    Hope this helps someone from wasting hours.

Leave a Reply