This error occurs when connecting to Redis with an incorrect password or invalid authentication credentials. Verify the password matches your Redis configuration, check the authentication format for Redis 6.0+, and ensure special characters are properly encoded.
The "ERR invalid password" error is raised by Redis when the AUTH command receives an incorrect or malformed password. Redis authenticates connections using either the legacy requirepass mechanism (single password for all connections) or the modern ACL (Access Control List) system introduced in Redis 6.0, which uses username-password pairs. When a client attempts to authenticate with an incorrect password, the Redis server rejects the connection immediately. In Redis 6.0 and later, you must distinguish between default user authentication (password only) and named user authentication (username:password format), plus proper URI encoding for passwords with special characters. This error is distinct from WRONGPASS (similar meaning but used in some contexts) and NOAUTH (no password provided when one is required).
Check the requirepass setting in your redis.conf file:
redis-cli CONFIG GET requirepass
If requirepass is empty (returns an empty string), Redis has no password protection enabled. If it returns a password, verify you are using that exact value.
Example output:
1) "requirepass"
2) "my-secure-password-123"
For managed Redis services (AWS ElastiCache, Azure Redis, Heroku, etc.), find the password in your service dashboard or CLI.
Use redis-cli to manually test the password:
redis-cli -h localhost -p 6379 -a your-password ping
If successful, you should see: PONG
For Redis 6.0+ with named users:
redis-cli -h localhost -p 6379 --user myuser --pass mypassword ping
Ensure your connection string uses the correct format for your Redis version.
For Redis < 6.0 (password only):
redis://:<password>@<host>:<port>/<db>
redis-cli -a <password> -h <host> -p <port>
For Redis 6.0+ (username and password):
redis://<username>:<password>@<host>:<port>/<db>
redis-cli --user <username> --pass <password> -h <host> -p <port>
For Redis 6.0+ default user (password only):
redis://:<password>@<host>:<port>/<db>
redis-cli -a <password> -h <host> -p <port>
Make sure you are not mixing formats. If using Redis 6.0+, verify whether you are connecting to a custom ACL user or the default user.
If your password contains special characters, they must be URL-encoded in connection strings:
Common special character encodings:
: = %3A
@ = %40
# = %23
/ = %2F
? = %3F
& = %26
= = %3D
Example: password is "my:pass@word" encodes as "my%3Apass%40word"
In Node.js with ioredis, let the library handle encoding by passing the plain password:
const redis = new Redis({
host: "localhost",
port: 6379,
password: "my:pass@word"
});
With redis-cli, quote the password:
redis-cli -a "my:pass@word" -h localhost -p 6379 ping
For Redis 6.0+, verify the user exists and is enabled:
redis-cli ACL LIST
redis-cli ACL GETUSER default
The output should show the user is "on", not "off".
If the user is off or does not exist, enable or create it:
Redis-cli ACL SETUSER default on
redis-cli ACL SETUSER myuser on >mynewpassword ~* +@all
redis-cli ACL SETUSER default >newpassword
The > prefix sets a new password for the user.
If you have forgotten the password, you can reset it.
For local Redis server:
Stop Redis: sudo systemctl stop redis-server
Edit redis.conf: sudo nano /etc/redis/redis.conf
Find and modify requirepass requirepass newpassword
Start Redis: sudo systemctl start redis-server
Test: redis-cli -a newpassword ping
For Redis 6.0+ with ACL:
redis-cli ACL SETUSER default >newpassword
Then test: redis-cli -a newpassword ping
For managed services (AWS ElastiCache, etc.), use the service dashboard or CLI to reset/rotate the password.
Managed Redis Services and Password Requirements:
Different Redis providers have specific password policies. AWS ElastiCache requires passwords to be 16-128 characters with letters, numbers, and special characters. Azure Cache for Redis needs 8+ characters with uppercase, lowercase, numbers, and symbols. Heroku Redis auto-generates passwords and cannot be changed manually. Google Cloud Memorystore uses 16-character generated passwords.
Redis 6.0 ACL Authentication Changes:
Redis 6.0 introduced major security improvements with the ACL system. The default user is created automatically with a random password. Multiple users can now have different permission scopes, and passwords are hashed internally. Use ACL WHOAMI and ACL GETUSER to debug authentication issues.
Password Security Best Practices:
Use strong, random passwords (16+ characters with mixed case, numbers, and symbols). Rotate passwords regularly in production. Never commit passwords in code; use environment variables instead. For applications, use connection pooling to minimize authentication overhead. Monitor AUTH command failures to detect brute force attempts.
Troubleshooting High-Security Environments:
Some hosting providers may require TLS for all connections (rediss:// scheme), IP whitelist validation, STARTTLS mode for upgrade from plaintext, or special proxy authentication like AWS IAM. If behind a proxy or using SSH tunnels, ensure the tunnel is established before attempting AUTH.
ERR fsync error
How to fix "ERR fsync error" in Redis
CLUSTERDOWN The cluster is down
How to fix 'CLUSTERDOWN The cluster is down' in Redis
ERR Job for redis-server.service failed because a timeout was exceeded
Job for redis-server.service failed because a timeout was exceeded
ERR Unbalanced XREAD list of streams
How to fix "ERR Unbalanced XREAD list" in Redis
ERR syntax error
How to fix "ERR syntax error" in Redis