Since MySQL 5.6.7, a MySQL account can be expired with
ALTER USER account
If a account is expired, the session is in a restricted mode
which only permits
SET PASSWORD ... and
SET commands. All other statements
fail with an error like this:
mysql> SELECT 1; ERROR 1820 (HY000): You must SET PASSWORD before executing this statement
On the protocol side exists a safeguard
to protect clients from running into special mode. Only
clients that can handle this mode should set this capability.
Usually this means all interactive clients and all
applications that got adjusted to handle the
If a client is not setting that capability and it tries to login with an account that has an expired password, the server will return an ERR packet for the authentication or the COM_CHANGE_USER request. Basically blocking all actions until a new password got set.