MySQL denies the login because the user account is explicitly marked ACCOUNT LOCK, blocking all connections until an administrator unlocks it.
MySQL error 3118 ER_ACCOUNT_HAS_BEEN_LOCKED means the login failed because the account is locked. Connect as an administrator and run ALTER USER 'user'@'host' ACCOUNT UNLOCK to restore access.
ER_ACCOUNT_HAS_BEEN_LOCKED
MySQL raises Error 3118 when a client tries to authenticate with an account whose ACCOUNT LOCK attribute is active. The server instantly returns Access denied for user ... Account is locked, preventing any session creation.
The condition was introduced in MySQL 5.7.6 to give administrators a simple switch for disabling credentials without deleting them.
The primary cause is a manual CREATE USER ... ACCOUNT LOCK or ALTER USER ... ACCOUNT LOCK statement that sets the locked flag in mysql.user.
Security automation, migration scripts, or external IAM hooks may also run ALTER USER automatically after failed-login thresholds, leaving accounts unintentionally locked.
Clone or dump workflows sometimes lock all users in downstream environments to stop accidental production writes, triggering the error until unlocked.
Connect as a privileged administrator (root or a user with CREATE USER privilege) and run ALTER USER 'account'@'host' ACCOUNT UNLOCK. This instantly clears the flag and allows logins.
If the lock was applied for security, rotate the password with ALTER USER 'account'@'host' IDENTIFIED BY 'NewStrongPwd' ACCOUNT UNLOCK to resume safely.
Staging databases copied from production ship with every account locked; unlock only required service users and leave human accounts disabled.
During incident response, teams lock compromised accounts; once risk subsides, unlock the account and mandate a password change.
CI/CD pipelines may forget to UNLOCK after resetting passwords; add an explicit ACCOUNT UNLOCK step in deployment scripts.
Track ALTER USER statements in version control or Galaxy audit logs to catch unintended locks before deployment.
Use roles and dynamic privileges so you can disable access by revoking role activation instead of fully locking the account.
Periodically review mysql.user for stale locked accounts and drop unused users rather than leaving them permanently disabled.
Error 1045 (ER_ACCESS_DENIED_ERROR) indicates wrong credentials rather than a locked account; verify password or host specification.
Error 3159 (ER_ACCOUNT_HAS_BEEN_SUSPENDED) appears when accounts are suspended by the Resource Group feature; UNSUSPEND restores access.
Error 1396 (ER_CANNOT_USER) shows permission problems when altering a user; ensure you have appropriate privileges.
An administrator intentionally disabled the user with ALTER USER ... ACCOUNT LOCK.
Scripts detected suspicious activity and auto-locked the account.
Cloned databases keep users but lock them to avoid cross-environment interference.
Login fails due to bad password or host mismatch.
Account suspended by Resource Group limits; use UNSUSPEND to reactivate.
Attempt to create or alter user failed because of missing privileges or duplicate entry.
No. ALTER USER ... ACCOUNT UNLOCK takes effect immediately without downtime.
You need CREATE USER or UPDATE privilege on the mysql system database; most production setups grant this only to administrative roles.
MySQL Community Edition does not track failed counts natively, so there is no counter to reset.
Galaxy logs and versions every ALTER USER statement, making it easy to audit who locked or unlocked an account and to roll back accidental changes.
.avif)
.avif){kind=logo}
