This error occurs when attempting to change a MySQL password while logged in as an anonymous user. Anonymous accounts lack the ALTER USER privilege required to modify passwords, preventing password changes from succeeding.
MySQL Error 1131 (ER_PASSWORD_ANONYMOUS_USER) is raised when you attempt to execute password-changing commands like SET PASSWORD or ALTER USER while authenticated as an anonymous user. An anonymous MySQL user is an account with a blank username (such as ''@'localhost' or ''@'%') that matches any connection without requiring a specific username. When you connect to MySQL without providing a username, MySQL automatically routes your connection to an anonymous account if one exists. Anonymous accounts are intentionally restricted and do not possess the ALTER USER privilege, which is required to change passwords. This is a security design to prevent unauthorized password modifications through anonymous access.
First, confirm that you are indeed logged in as an anonymous user. You can check this by running:
SELECT USER();If the output shows something like @localhost or @% with an empty username part, you are using an anonymous account. A normal user would display username@hostname.
Disconnect from the current anonymous session and reconnect with a named user account that has ALTER USER privileges. The root user is ideal:
mysql -u root -pEnter the root password when prompted. Once connected as root, you can now change passwords for any user:
ALTER USER 'someuser'@'localhost' IDENTIFIED BY 'newpassword';
FLUSH PRIVILEGES;This is the most straightforward solution for production environments.
Fresh MySQL installations include anonymous accounts by default that should be removed before production use. Connect as root and execute:
DROP USER ''@'localhost';
DROP USER ''@'%';
FLUSH PRIVILEGES;This removes both the localhost and wildcard anonymous accounts. Verify they are gone:
SELECT user, host FROM mysql.user WHERE user = '';Should return an empty result set.
If you are encountering this error when using the --init-file startup option, MySQL is running in a state where the ACL cache is not initialized. Add a FLUSH PRIVILEGES command before attempting password changes:
FLUSH PRIVILEGES;
ALTER USER 'root'@'localhost' IDENTIFIED BY 'newpassword';The FLUSH PRIVILEGES statement reloads the user grant tables and initializes the in-memory ACL cache, allowing subsequent password-change commands to work properly.
If you cannot connect with a named user, start MySQL with the --skip-grant-tables option to bypass authentication entirely:
mysqld --skip-grant-tables &Then connect without credentials:
mysql -u rootWithin that session, reload the grant tables and create/update a user:
FLUSH PRIVILEGES;
ALTER USER 'root'@'localhost' IDENTIFIED BY 'newpassword';After the password is set, stop the server and restart normally. This method is only for recovery situations, not production use.
If you are logged in as a named user but still receive error 1131, verify the user has the required privileges:
SHOW GRANTS FOR 'youruser'@'localhost';The output should include ALTER USER or ALL PRIVILEGES. If not, grant the necessary privilege using root:
GRANT ALTER USER ON *.* TO 'youruser'@'localhost';
FLUSH PRIVILEGES;Note: Some users may only have user-level privileges, which do not permit password changes for other users. They can only change their own password if they are authenticated with their own username.
Why Anonymous Accounts Exist: MySQL creates anonymous accounts by default during installation for convenience in development environments. These accounts allow connections without credentials for quick testing. However, they are security vulnerabilities in production and must be explicitly removed.
Privilege Model: Anonymous accounts match any username but do not have special privileges. When MySQL routes your connection to an anonymous account, it treats you as having minimal permissions. The ALTER USER privilege is explicitly NOT granted to anonymous accounts.
ALTER USER vs SET PASSWORD: Both commands fail with error 1131 for anonymous users. SET PASSWORD is the older syntax (still supported in MySQL 5.7+), while ALTER USER is the modern approach (introduced in 5.7.6). Neither works for anonymous accounts.
--init-file Limitation: This is a known MySQL behavior documented in the 5.7.11 and 5.8.0 changelogs. When the server starts, the ACL cache is not initialized until FLUSH PRIVILEGES is called. Any password change command before that fails with error 1131, even if syntactically correct. This is a startup-time-only issue and does not occur during normal operation.
MariaDB Compatibility: MariaDB raises the same error 1131 with identical behavior and solutions. The fixes described here work for both MySQL and MariaDB.
ERROR 1064: You have an error in your SQL syntax
How to fix "ERROR 1064: You have an error in your SQL syntax" in MySQL
ERROR 1054: Unknown column in field list
Unknown column in field list
ER_WINDOW_RANGE_FRAME_NUMERIC_TYPE (3589): RANGE frame requires numeric ORDER BY expression
RANGE frame requires numeric ORDER BY expression in MySQL window functions
CR_ALREADY_CONNECTED (2058): Handle already connected
How to fix "CR_ALREADY_CONNECTED (2058): Handle already connected" in MySQL
ER_WINDOW_DUPLICATE_NAME (3591): Duplicate window name
How to fix ER_WINDOW_DUPLICATE_NAME (3591) in MySQL window functions