<p>The server rejects connections that attempt to send passwords in plain text without SSL or an RSA key pair.</p>
<p>MySQL Error 1759: ER_INSECURE_PLAIN_TEXT means the client is sending a password in plain text over an unencrypted connection. Enable SSL, use an RSA public key, or switch to a secure authentication plugin to resolve the problem.</p>
Sending passwords in plain text without SSL/TLS is
Error 1759 fires when a MySQL client tries to authenticate by sending the password in clear text over a connection that is not protected by SSL or an RSA key pair.
MySQL 5.7 and later block this behavior by default because unencrypted credentials can be intercepted by network attackers.
The message appears immediately after the client sends the login request if TLS is disabled, no RSA key is configured, and the server requires secure transport.
It is common after upgrades, container redeployments, or when moving to managed cloud databases that enforce stricter defaults.
Plain text passwords can be captured with simple packet sniffers, giving attackers full database access. Fixing the error restores connectivity while preserving data security and compliance.
MySQL checks three settings: SSL availability, an RSA key pair for the sha256_password plugin, and the secure_transport system variable. If all three are absent or off, the server blocks plain text login.
Custom authentication plugins or outdated client libraries can also force plain text, triggering the error.
Enable SSL on both server and client, or configure an RSA key pair and instruct the client to use it. Alternatively, switch users to mysql_native_password with proper hashing.
After changes, restart affected services and test with mysql --ssl-mode=REQUIRED or your driver’s SSL flags.
Docker containers often omit SSL certificates. Mount server.crt and server.key, then set require_secure_transport=ON.
Cloud SQL instances block non SSL traffic by default. Update application connection strings to include ssl_ca, ssl_cert, and ssl_key parameters.
Always generate certificates during provisioning, enforce TLS 1.2+, and monitor performance_schema.maintain_ssl_stats for failed secure connections.
Automate certificate renewal with cron or systemd timers to prevent lapses.
ER_ACCESS_DENIED_ERROR occurs when credentials are wrong. ER_SECURE_TRANSPORT_REQUIRED (code 3159) appears if secure_transport is ON and SSL is disabled. Solutions overlap: enable SSL and update plugins.
If mysqld starts without --ssl-cert and --ssl-key, no encrypted channel is available and authentication drops to plain text.
The sha256_password plugin needs a public/private RSA key pair. Without it, the server cannot encrypt the password packet.
Legacy clients compiled before MySQL 5.6 may still attempt plain text logins and bypass secure_auth settings.
Applications that omit SSL parameters or set ssl-mode=DISABLED will force clear text transmission, triggering the error.
Raised when require_secure_transport=ON and the client connects without SSL. Fix by enabling SSL similar to Error 1759.
Occurs after repeated login failures. Verify username, host pattern, and password hash.
Client uses an outdated authentication plugin. Upgrade the driver or change user to a supported plugin.
No. The server blocked the connection before any plain text password traveled over the wire, so credentials were not leaked.
You can set require_secure_transport=OFF, but this is strongly discouraged in production because it weakens security.
Newer versions tighten defaults, turning secure_transport ON and deprecating plain text authentication.
Galaxy’s desktop SQL editor surfaces SSL misconfigurations, auto adds ssl-mode=REQUIRED to connection strings, and highlights insecure plugins during query execution.
.avif)
.avif){kind=logo}
