. It will be hashed by the PASSWORD function prior to being stored to the mysql.user table. For example, if our password is mariadb, then we can set the account's password with: ALTER USER foo2@test IDENTIFIED BY 'mariadb'; If you do not specify a password with the IDENTIFIED BY clause, the user will be able to connect without a password. A blank password is not a wildcard to match any password. The user must connect without providing a password if no password is set. The only authentication plugins that this clause supports are mysql_native_password and mysql_old_password. IDENTIFIED BY PASSWORD 'password_hash' -------------------------------------- The optional IDENTIFIED BY PASSWORD clause can be used to provide an account with a password that has already been hashed. The password should be specified as a hash that was provided by the PASSWORD#function. It will be stored to the mysql.user table as-is. For example, if our password is mariadb, then we can find the hash with: SELECT PASSWORD('mariadb'); +-------------------------------------------+ | PASSWORD('mariadb') | +-------------------------------------------+ | *54958E764CE10E50764C2EECBB71D01F08549980 | +-------------------------------------------+ And then we can set an account's password with the hash: ALTER USER foo2@test IDENTIFIED BY PASSWORD '*54958E764CE10E50764C2EECBB71D01F08549980'; If you do not specify a password with the IDENTIFIED BY clause, the user will be able to connect without a password. A blank password is not a wildcard to match any password. The user must connect without providing a password if no password is set. The only authentication plugins that this clause supports are mysql_native_password and mysql_old_password. IDENTIFIED {VIA|WITH} authentication_plugin ------------------------------------------- The optional IDENTIFIED VIA authentication_plugin allows you to specify that the account should be authenticated by a specific authentication plugin. The plugin name must be an active authentication plugin as per SHOW PLUGINS. If it doesn't show up in that output, then you will need to install it with INSTALL PLUGIN or INSTALL SONAME. For example, this could be used with the PAM authentication plugin: ALTER USER foo2@test IDENTIFIED VIA pam; Some authentication plugins allow additional arguments to be specified after a USING or AS keyword. For example, the PAM authentication plugin accepts a service name: ALTER USER foo2@test IDENTIFIED VIA pam USING 'mariadb'; The exact meaning of the additional argument would depend on the specific authentication plugin. In MariaDB 10.4 and later, the USING or AS keyword can also be used to provide a plain-text password to a plugin if it's provided as an argument to the PASSWORD() function. This is only valid for authentication plugins that have implemented a hook for the PASSWORD() function. For example, the ed25519 authentication plugin supports this: ALTER USER safe@'%' IDENTIFIED VIA ed25519 USING PASSWORD('secret'); TLS Options ----------- By default, MariaDB transmits data between the server and clients without encrypting it. This is generally acceptable when the server and client run on the same host or in networks where security is guaranteed through other means. However, in cases where the server and client exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them. To mitigate this concern, MariaDB allows you to encrypt data in transit between the server and clients using the Transport Layer Security (TLS) protocol. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports #¼ØE