MySQL log shows 3 root users, 2 without passwords? Why?

Solution 1:

I know this is an old thread, but I wanted to add a few more points:

Three root users are generated by default when you first create a database. The are all created without passwords. At that time, the installation also recommends you set a password by running mysqladmin -u root password, which will change the password for 'root'@'%'.

The two that still don't have passwords are local to the host specified in the Host column; in both of these cases, it's the actual DB server. They do both have full access to the database by default. One might correctly surmise that, in many cases, if you were able to log in to the machine (which would be necessary to use either of these root accounts) in the first place, then you probably have access to the actual files on disk. So having passwords on these might not yield any real security.

That being said, I prefer to remove these default accounts, and stick with password-ed accounts.

DELETE FROM mysql.user WHERE Password=''; FLUSH PRIVILEGES

Solution 2:

First off, why are there 3 root users

Because someone added three root users.

(and do we need 127.0.0.1 since we have localhost)?

In MySQL localhost and 127.0.0.1 are fundamentally different. The host 'localhost' in MySQL means "connect locally using a unix socket". The 127.0.0.1 host means "connect via the loopback interface using TCP".

Second, why would two of them not have passwords set?

Because noone set a password for them.

Third, do the web12-b0 and 127.0.0.1 hosts have full root access without having to use a password (as it appears)?

You have provided insufficient information to answer this. The presence of a user in MySQL implies no permission besides USAGE (the ability to connect). To view the permissions for a user you must use:

SHOW GRANTS FOR user@host;

Fourth, is there some valid reason for this or should I suggest the admin put passwords on those two hosts?

I would advise against having any accounts without a password on your MySQL server.