How to Configure Dual Passwords in MySQL
This article explains how to configure and use the dual password feature in MySQL to achieve seamless credential rotation without application downtime. You will learn the SQL commands required to introduce a secondary password, transition your applications to the new credentials, and safely deprecate the old password once the migration is complete.
Understanding MySQL Dual Passwords
In high-availability environments, rotating database credentials can cause downtime if the application and database are not updated simultaneously. MySQL solves this issue by supporting dual passwords (a primary and a secondary password) for a single user account.
When dual passwords are enabled, MySQL allows client connections using either password. This enables a three-step rotation workflow: 1. Apply a new password while retaining the current one as a secondary password. 2. Update all application clients to use the new password at their own pace. 3. Discard the old password once all clients have transitioned.
Step-by-Step Credential Rotation
Step 1: Add the New Password
To initiate the rotation, set the new password as the primary password while retaining the existing password as the secondary option. Run the following command:
ALTER USER 'app_user'@'localhost'
IDENTIFIED BY 'NewSecurePass123'
RETAIN CURRENT PASSWORD;At this stage: * NewSecurePass123 becomes the
primary password. * The previous password becomes the
secondary password. * Applications can connect using
either the old password or the new password.
Step 2: Update Client Applications
With both passwords active, update the connection strings in your
application deployments, microservices, or configuration managers to use
the new password (NewSecurePass123).
Because the old password is still accepted as the secondary credential, this update can be rolled out progressively across your infrastructure with zero connection failures.
Step 3: Discard the Old Password
Once all application instances have been successfully updated and are connecting with the new password, you must remove the secondary password to secure the account.
Execute the following command to discard the old credential:
ALTER USER 'app_user'@'localhost'
DISCARD OLD PASSWORD;After running this command, only the primary password
(NewSecurePass123) will be accepted. Any connection
attempts using the old password will be rejected.
Verifying the Password State
You can verify the status of a user’s passwords by querying the
mysql.user system table. This helps confirm whether a
secondary password is active before you attempt to discard it.
SELECT user, host, password_expired, password_last_changed
FROM mysql.user
WHERE user = 'app_user';