Preamble
Reflecting on security in MySQL installation, you can consider a wide range of possible procedures/recommendations and their impact on the security of your MySQL server and related applications.
MySQL provides many tools/functions/plugins or components to protect your data, including some additional features such as Transparent Data Encryption (TDE), auditing, data masking and de-identification, firewall, login failure tracking and temporary account locking, connection control plugins, password verification component, etc…
TL; DR
Dual password capability allows you to make changes to your credentials without any problems.
MySQL implements a double password with syntax that saves and discards secondary passwords:
- The RETAIN CURRENT PASSWORD offer for ALTER USER and SET PASSWORD operators saves the current account password as a secondary password when assigning a new master password.
- The DISCARD OLD PASSWORD for ALTER USER casts an additional account password, leaving only the master password. The goal is to avoid downtime when changing passwords in replicated environments.
Customers can use the old password as long as the new password is set in the server group and only delete the old password when the new password is set in the entire group.
Workflow:
On each server that is not a replication slave, set a new password, for example:
ALTER USER 'myApp'@'host' IDENTIFIED BY 'NEW_password' RETAIN CURRENT PASSWORD;
Wait until the change of password spreads throughout the system to all slave servers.
Change each application that uses myApp account to connect to servers using the password “NEW_password” rather than “OLD_password”.
On each server that is not a replication slave, reset the secondary password, for example:
ALTER USER 'myApp'@'host' DISCARD OLD PASSWORD;
Let’s take a brief look at using MySQL 8.0
MySQL SQL> SELECT VERSION();
+-----------+
| VERSION() |
+-----------+
| 8.0.19 |
+-----------+
Create user account myApp@localhost with password pwd1 :
MySQL root SQL>
CREATE USER myApp@localhost IDENTIFIED BY 'pwd1';
We can now contact you with a username and password:
$ mysql -u myApp -ppwd1 -e "SELECT USER()".
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+
Note: As indicated in the output, entering a password into the command line interface is bad practice.
Now the database administrator (superuser) uses the ALTER USER instruction with the RETAIN CURRENT PASSWORD sentence to modify the credentials using the double password mechanism by adding pwd2 as the main password.
Thus, pwd1 is now the secondary password:
MySQL root SQL>
ALTER USER myApp@localhost IDENTIFIED BY 'pwd2' RETAIN CURRENT PASSWORD;
We can use our username and new password ( pwd2 ) to connect:
$ mysql -u myApp -ppwd2 -e "SELECT USER()".
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+
But the old password ( pwd1 ) is still valid:
$ mysql -u myApp -ppwd1 -e "SELECT USER()"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+
Now it is time to reset the additional password ( pwd1 ):
MySQL root SQL>
ALTER USER myApp@localhost DISCARD OLD PASSWORD;
$ mysql -u myApp -ppwd2 -e "SELECT USER()"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| USER() |
+-----------------+
| myApp@localhost |
+-----------------+
$ mysql -u myApp -ppwd1 -e "SELECT USER()"
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'myApp'@'localhost' (using password: YES)
As you can see, only the new password ( pwd2 ) is valid.
About Enteros
Enteros offers a patented database performance management SaaS platform. It proactively identifies root causes of complex business-impacting database scalability and performance issues across a growing number of clouds, RDBMS, NoSQL, and machine learning database platforms.
The views expressed on this blog are those of the author and do not necessarily reflect the opinions of Enteros Inc. This blog may contain links to the content of third-party sites. By providing such links, Enteros Inc. does not adopt, guarantee, approve, or endorse the information, views, or products available on such sites.
Are you interested in writing for Enteros’ Blog? Please send us a pitch!
RELATED POSTS
How to Achieve Real Estate Cost Transparency with Enteros: AI SQL Analytics and AIOps Platform Intelligence
- 17 February 2026
- Database Performance Management
Introduction Real estate has evolved into a technology-driven industry. From digital property marketplaces and smart building platforms to tenant apps, CRM systems, leasing automation tools, and investment analytics dashboards—modern real estate enterprises depend on complex data ecosystems. Every lease agreement, rent payment, occupancy report, maintenance request, and investor presentation is powered by databases running behind … Continue reading “How to Achieve Real Estate Cost Transparency with Enteros: AI SQL Analytics and AIOps Platform Intelligence”
How to Optimize SaaS Performance and RevOps Efficiency with Enteros: Database Management and Cloud FinOps Intelligence
Introduction The SaaS business model promises scalable growth, recurring revenue, and predictable expansion. But behind every subscription dashboard, billing workflow, in-app analytics panel, and customer success metric lies a powerful—and often overlooked—engine: The database layer. In today’s technology sector, SaaS companies compete on speed, reliability, personalization, and cost efficiency. Every millisecond of latency impacts user … Continue reading “How to Optimize SaaS Performance and RevOps Efficiency with Enteros: Database Management and Cloud FinOps Intelligence”
What Telecom CIOs Should Know About AI SQL, Cost Attribution, and Predictive Cloud FinOps with Enteros
- 16 February 2026
- Database Performance Management
Introduction The telecommunications industry operates at a scale few sectors can match. Billions of call detail records (CDRs).Real-time 5G traffic management.Subscriber billing systems.Network performance analytics.IoT connectivity platforms.Streaming, messaging, roaming, and edge computing services. Behind every one of these services lies a complex, high-volume database ecosystem. And as telecom providers modernize into cloud-native, multi-cloud, and hybrid … Continue reading “What Telecom CIOs Should Know About AI SQL, Cost Attribution, and Predictive Cloud FinOps with Enteros”
How Enteros Combines Generative AI and Database Intelligence to Drive Predictable Revenue Operations Growth
Introduction Revenue Operations (RevOps) has evolved from a coordination function into a strategic growth engine. Modern enterprises rely on tightly integrated sales, marketing, finance, customer success, and product systems to generate predictable revenue. But behind every CRM update, pricing calculation, renewal forecast, pipeline report, and customer usage metric lies a critical foundation: The database layer. … Continue reading “How Enteros Combines Generative AI and Database Intelligence to Drive Predictable Revenue Operations Growth”