Documentation Home
MySQL Internals Manual Expired Password

Since MySQL 5.6.7, a MySQL account can be expired with ALTER USER account PASSWORD EXPIRE.

If a account is expired, the session is in a restricted mode which only permits SET PASSWORD ... and similar SET commands. All other statements fail with an error like this:

mysql> SELECT 1;
ERROR 1820 (HY000): You must SET PASSWORD before executing this statement

On the protocol side exists a safeguard CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS to protect clients from running into special mode. Only clients that can handle this mode should set this capability. Usually this means all interactive clients and all applications that got adjusted to handle the ERROR 1820.

If a client is not setting that capability and it tries to login with an account that has an expired password, the server will return an ERR packet for the authentication or the COM_CHANGE_USER request. Basically blocking all actions until a new password got set.