MySQL error 2049 (CR_UNUSED_1) appears when a secure_auth-enabled client tries to log in with the obsolete pre-4.1 password hash.
MySQL Error 2049: CR_UNUSED_1 signals that the server rejected a login because the client demanded secure_auth while the user account still uses the pre-4.1 password hash. Upgrade the account with ALTER USER IDENTIFIED WITH mysql_native_password or disable secure_auth in the client to resolve the issue.
Connection using old (pre-4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Error 2049 originates from the MySQL client library when secure_auth enforcement detects that the target user account stores a password in the obsolete pre-4.1 hashing format.
The client aborts the handshake and shows: “Connection using old (pre-4.1.1) authentication protocol refused (client option 'secure_auth' enabled).” Fixing the mismatch restores connectivity and protects against weak hashes.
Secure_auth forces clients 5.6 and later to reject the 16-byte legacy hash.
Any user account created before MySQL 4.1 or never updated still uses that format, triggering the error on login.
Downgrade connections, cloned test databases, or third-party tools may still hold legacy users. Migrating them or toggling secure_auth clears the fault.
Option 1: Upgrade the user’s password hash with ALTER USER … IDENTIFIED BY 'new_password'.
This rewrites the credential using the 41-byte native algorithm that secure_auth expects.
Option 2: Disable secure_auth temporarily in the client (–skip-secure-auth) or set secure_auth=0 in my.cnf, though this weakens security and is not recommended for production.
Legacy dump restores: After importing an old dump, immediately run ALTER USER for every affected account.
Automated scripts: Add a CREATE USER … IDENTIFIED BY statement instead of directly inserting into mysql.user to avoid legacy hashes.
Always create or modify users with CREATE USER or ALTER USER on servers 5.7+.
Never write credentials manually.
Enable password expiration and enforce default_authentication_plugin=mysql_native_password or caching_sha2_password to guarantee modern hashes.
ERROR 1251 (08004): Client does not support authentication protocol requested by server – occurs in reverse when the server wants a new hash but the client is too old. Upgrade the client library.
ERROR 2054 (HY000): Server sent authentication method unknown – appears when plugins differ. Align default_authentication_plugin on both sides.
.
Happens when a modern server demands a new plugin but the client is outdated. Upgrade or recompile the client library.
Indicates a plugin mismatch such as caching_sha2_password on MySQL 8 while the client supports only mysql_native_password.
Occurs when the account’s password_lifetime is exceeded.
Reset the password to regain access.
.
Yes. Turning off secure_auth allows weak pre-4.1 hashes and increases risk of password cracking. Use only in non-production environments.
Run: SELECT user, host FROM mysql.user WHERE length(authentication_string)=16; Accounts returned need updating.
No. Error 2049 is about hash length, not plugin. You must regenerate the password or disable secure_auth.
Galaxy’s modern SQL editor surfaces authentication failures instantly, and its AI copilot suggests ALTER USER commands, reducing the time to patch legacy accounts.
.avif)
.avif){kind=logo}
