Where is the MySQL 5.7 root password?

MySQL 5.7 root passwordIn this blog, we’ll discuss how to find the MySQL 5.7 root password.

While new MySQL software security features are always welcome, they can impact use and performance. Now by default, MySQL 5.7 creates a password for the root user (among other changes) so the installation itself can be considered secure. It’s a necessary change, but it has confused some customers and users. I see a lot of people on social networks (like Twitter) asking about this change.

So, where is my MySQL 5.7 root password?

The answer depends on the way you have installed MySQL 5.7 or Percona Server 5.7. I am going to show where to find the password depending on the installation method and the distribution used. For all these examples, I assume this is a new installation and you are using the default my.cnf.

Centos/Redhat – RPM Packages.

The password is not shown on screen during the installation. It is in the error log. The autogenerated my.cnf contains this line:

So, there is our password:


During the packages installation, you get a prompt asking for the root password. If you don’t set it up, MySQL’s root user is created without a password. We can read the following line in package installation output:

but it is configured with the auth_socket plugin. You will only be able to connect using the UNIX socket, therefore any attempt to connect using your local IP or the network fails. Later on, you can change the password to allow connections from the network (as explained in this blog post).

All distributions – Binary tarball

mysql_install_db has been deprecated since MySQL 5.7.6. You need to use mysqld to initialize all system databases (like mysql, it contains the users and password). You have two ways of doing it:

–initialize: this is the default and recommended option. It will create a mysql database including a random password that will be written in the error log.

If you don’t have error-log directive configured or any my.cnf at all, then it will be in the datadir with host_name.err name.

–initialize-insecure: datadir will be initialized without setting a random password to the root user.


Unfortunately, more security can also add more confusion. Depending on the installation method and distribution, the MySQL 5.7 root password process varies a lot, so keep an eye on the error log after every installation and also watch the installation process output shown on screen. In case you are really lost (or you have removed the error log for some reason), you can still start mysqld with --skip-grant-tables to access the database and change the password.

Share this post

Comments (15)

  • Vladislav “FractalizeR” Rastrusny

    Is it really secure to put passwords to logs? I daresay I doubt very much.

    May 19, 2016 at 3:14 am
    • Roman Vynar

      This is a temporary password which is marked as expired immediately meaning MySQL will ask you to change it on the first login.

      May 20, 2016 at 4:38 pm
  • Ruichao Lin

    very good post , i met a problem when i deploy muti instance on one host . and one my.cnf pre instance .
    initialize like this .
    /usr/local/mysql/bin/mysqld –initialize-insecure –basedir=/usr/local/mysql –datadir=/data/mysql3307/data
    /usr/local/mysql/bin/mysqld –initialize-insecure –basedir=/usr/local/mysql –datadir=/data/mysql3307/data
    . i start the 3306 instance ok . and can run normally , but when i start the second one , i met the error :

    2016-05-26T07:45:31.654495Z 0 [Note] Plugin ‘FEDERATED’ is disabled.
    mysqld: Table ‘mysql.plugin’ doesn’t exist
    2016-05-26T07:45:31.654667Z 0 [ERROR] Can’t open the mysql.plugin table. Please run mysql_upgrade to create it.
    2016-05-26T07:45:31.658189Z 0 [Warning] Gtid table is not ready to be used. Table ‘mysql.gtid_executed’ cannot be opened.
    2016-05-26T07:45:31.660458Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
    2016-05-26T07:45:31.660471Z 0 [Note] Skipping generation of SSL certificates as certificate files are present in data directory.
    2016-05-26T07:45:31.667197Z 0 [Warning] CA certificate ca.pem is self signed.
    2016-05-26T07:45:31.667260Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
    2016-05-26T07:45:31.667353Z 0 [Note] Server hostname (bind-address): ‘*’; port: 3307
    2016-05-26T07:45:31.668472Z 0 [Note] IPv6 is not available.
    2016-05-26T07:45:31.668549Z 0 [Note] – ‘’ resolves to ‘’;
    2016-05-26T07:45:31.668562Z 0 [Note] Server socket created on IP: ‘’.
    2016-05-26T07:45:31.669633Z 0 [Warning] Failed to open optimizer cost constant tables

    2016-05-26T07:45:31.669709Z 0 [ERROR] Fatal error: Can’t open and lock privilege tables: Table ‘mysql.user’ doesn’t exist
    2016-05-26T07:45:31.669746Z 0 [ERROR] Aborting

    Do you know how to solve this problem , thanks.

    May 26, 2016 at 4:11 am
  • Matt

    Is there any way around this? I use Puppet to install Percona 5.6 and want to use 5.7 but Puppet will not work because it randomly generates a password, so it can’t connect to configure all the custom permissions we’ve defined.

    November 7, 2016 at 12:39 pm
    • Herrmann

      unattended install on debian is a nightmare too

      December 16, 2016 at 4:32 pm
      • Chris Craig

        Not at all! For silent install do the following:

        apt-get install -q -y debconf-utils
        echo “mysql-server mysql-server/root_password password ” | debconf-set-selections
        echo “mysql-server mysql-server/root_password_again password ” | debconf-set-selections
        apt-get install -y –force-yes mysql-server

        After installation you can run mysql commands like so:
        “/usr/bin/mysql –defaults-extra-file=/etc/mysql/debian.cnf -e …”

        June 30, 2017 at 9:38 am
        • Chris Craig

          After “password” in the echo string should be some random password, natch. (comment system swallowed my angle bracket placeholder)

          June 30, 2017 at 9:45 am
  • Fahad Hasan

    In my case it is not writing anything to /var/log/mysqld.log.
    After some digging, I have found that if I run “/etc/init.d/mysql start”, the temporary password gets printed in the stdout. So I actually had to run the following to be able to follow the official documentation:

    /etc/init.d/mysql start > /var/log/mysqld.log 2>&1

    I dont know why is it different in my case, I am running a Amazon linux based image in Docker.
    Hope this helps someone from wasting hours.

    January 9, 2017 at 12:26 am
  • Jakim

    you saved my day

    March 31, 2017 at 5:02 am
  • Karthik M

    i have installed Mysql 5.7.18 on my linux machine and i found the default password to login.
    due to some error i have uninstalled the package and again freshly installed. but this time i cannot find the default new password in the path where i found the password earlier.

    June 8, 2017 at 6:58 am
  • Hassan Paknia

    In case you want to install mysql or percona unattended (like in my case ansible), you can use following script:

    # first part opens mysql log
    # second part greps lines with temporary password
    # third part picks last line (most recent one)
    # last part removes all the line except the password
    # the result goes into password variable

    password=$(cat /var/log/mysqld.log | grep “A temporary password is generated for” | tail -1 | sed -n ‘s/.*root@localhost: //p’)

    # setting new password, you can use $1 and run this script as a file and pass the argument through the script


    # resetting temporary password

    mysql -uroot -p$password -Bse “ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘$newPassword’;”

    June 15, 2017 at 11:35 pm
    • Eugene Klimov

      for centos/7 workaround

      if [[ ! -f /etc/mysql/defaults.cnf ]]; then
      MYSQL_ROOT_PASSWD=$(grep "A temporary password is generated for root@localhost:" /var/log/mysqld.log | tail -n 1 | cut -d " " -f 11)
      yum install -y pwgen
      NEW_MYSQL_ROOT_PASSWD=$(pwgen -y 16 1)
      mysql --verbose -u root --password="${MYSQL_ROOT_PASSWD}" --connect-expired-password -Bse "ALTER USER USER() IDENTIFIED BY '${NEW_MYSQL_ROOT_PASSWD}'"
      echo "[mysql]" > /etc/mysql/defaults.cnf
      echo "user=root" >> /etc/mysql/defaults.cnf
      echo "password=${MYSQL_ROOT_PASSWD}" >> /etc/mysql/defaults.cnf
      mysql --defaults-extra-file=/etc/mysql/defaults.cnf "SHOW DATABASES"

      November 24, 2019 at 2:03 am
  • Li Chen

    you can also check the journalctl output if you start mysqld by systemctl. Like this:

    journalctl -xe |grep mysqld |grep temporary

    and look for line saying generate temporary password.

    This is especially useful on Archlinux family as the mysqld.log is empty for unknown reason.

    Hope this can help somebody.

    July 16, 2018 at 9:50 pm

    Thank you very mush

    April 2, 2019 at 6:22 am

Comments are closed.

Use Percona's Technical Forum to ask any follow-up questions on this blog topic.