The Problem

Your application cannot authenticate to Redis. The AUTH command returns an error, and all subsequent commands are rejected. You see errors like:

bash
(error) WRONGPASS invalid username-password pair

Or:

bash
(error) ERR Client sent AUTH, but no password is set

Or in application logs:

bash
Redis::CommandError: WRONGPASS invalid username-password pair

Applications fail to connect, and operations queue up or timeout waiting for Redis access.

Why Authentication Fails

Redis authentication errors occur for several reasons:

  1. 1.Wrong password - Password doesn't match requirepass setting
  2. 2.No password set - AUTH sent when Redis has no authentication configured
  3. 3.ACL mismatch - Username exists but password is incorrect for that user
  4. 4.Password changed - Application using old password after server change
  5. 5.Connection string format - Incorrect Redis URL format
  6. 6.Special characters - Password with special chars not properly escaped
  7. 7.Environment variables - Password not correctly loaded from environment

Diagnosis Steps

Check if Authentication is Required

```bash # Check if password is set redis-cli CONFIG GET requirepass

# Empty result means no password is set # requirepass "" indicates authentication is disabled

# Check ACL configuration (Redis 6+) redis-cli ACL LIST redis-cli ACL GETUSER default ```

Test Authentication Manually

```bash # Try connecting without password redis-cli ping # If this works, no password is required

# Try connecting with password redis-cli -a "yourpassword" ping # If this fails with WRONGPASS, password is wrong

# Try AUTH command explicitly redis-cli 127.0.0.1:6379> AUTH "yourpassword" (error) WRONGPASS invalid username-password pair ```

Check Redis Logs

```bash # Find log file location redis-cli CONFIG GET logfile

# View recent logs tail -50 /var/log/redis/redis-server.log

# Or via systemd journalctl -u redis-server -n 50 ```

Verify ACL Configuration (Redis 6+)

```bash # List all users redis-cli ACL LIST

# Check default user redis-cli ACL GETUSER default

# Output shows: # user default on #passwordhash ~* &* +@all # or # user default off &* -@all ```

Check Application Configuration

```bash # Check how application connects # Look for: # - redis:// URLs # - host, port, password parameters # - environment variables

# Common patterns: redis://:password@host:port/db redis://user:password@host:port/db ```

Solutions

Solution 1: Set or Reset Password

If you need to set a password:

```bash # Set password redis-cli CONFIG SET requirepass "new_secure_password"

# In redis.conf for persistence: requirepass "new_secure_password"

# After setting, always use password redis-cli -a "new_secure_password" ping ```

To remove password (for development only):

bash
redis-cli CONFIG SET requirepass ""
# Warning: This disables authentication

Solution 2: Update Application Password

Ensure application uses correct password:

```javascript // Node.js with ioredis const Redis = require('ioredis');

// Correct format const redis = new Redis({ host: 'localhost', port: 6379, password: 'correct_password', db: 0 });

// Or via URL const redis = new Redis('redis://:correct_password@localhost:6379/0'); ```

```python # Python with redis-py import redis

r = redis.Redis( host='localhost', port=6379, password='correct_password', db=0 )

# Or via URL r = redis.from_url('redis://:correct_password@localhost:6379/0') ```

```php <?php // PHP with Predis $client = new Predis\Client([ 'scheme' => 'tcp', 'host' => '127.0.0.1', 'port' => 6379, 'password' => 'correct_password' ]);

// Or via URL $client = new Predis\Client('redis://:correct_password@127.0.0.1:6379'); ```

Solution 3: Configure ACL Users (Redis 6+)

For more granular access control:

```bash # Create user with password redis-cli ACL SETUSER myuser on >mypassword ~* +@all

# Create limited user redis-cli ACL SETUSER readonly on >readpass ~* +@read +@connection

# View users redis-cli ACL LIST

# Save ACL to file redis-cli ACL SAVE ```

In redis.conf:

```ini # Load ACL file aclfile /etc/redis/users.acl

# Or define inline user myuser on >mypassword ~* +@all user readonly on >readpass ~* +@read ```

Connect with specific user:

```bash redis-cli --user myuser --pass mypassword

# Or redis-cli AUTH myuser mypassword ```

Solution 4: Handle Special Characters in Password

Passwords with special characters need careful handling:

```bash # Password with special chars: p@ss!w0rd#123

# In redis-cli, use quotes redis-cli -a "p@ss!w0rd#123" ping

# In redis.conf, use quotes requirepass "p@ss!w0rd#123"

# In URL encoding for connection strings # @ becomes %40, ! becomes %21, # becomes %23 redis://:p%40ss%21w0rd%23123@localhost:6379 ```

Solution 5: Use Environment Variables

Don't hardcode passwords:

```bash # Set environment variable export REDIS_PASSWORD="secure_password"

# In application redis-cli -a "$REDIS_PASSWORD" ping ```

javascript
// Node.js
const redis = new Redis({
    password: process.env.REDIS_PASSWORD
});
python
# Python
import os
r = redis.Redis(password=os.environ.get('REDIS_PASSWORD'))

Solution 6: Fix Docker/Kubernetes Configuration

For containerized deployments:

yaml
# Kubernetes Secret
apiVersion: v1
kind: Secret
metadata:
    name: redis-secret
type: Opaque
stringData:
    redis-password: "secure_password"
yaml
# Deployment with password from secret
apiVersion: apps/v1
kind: Deployment
spec:
    containers:
    - name: app
        env:
        - name: REDIS_PASSWORD
            valueFrom:
                secretKeyRef:
                    name: redis-secret
                    key: redis-password
yaml
# docker-compose.yml
version: '3'
services:
    redis:
        image: redis:7
        command: redis-server --requirepass ${REDIS_PASSWORD}
    app:
        environment:
            - REDIS_PASSWORD=${REDIS_PASSWORD}

Solution 7: Debug Authentication Issues

```bash # Check exact password being used redis-cli DEBUG SLEEP 0 # Just to verify connection

# Enable verbose logging temporarily redis-cli CONFIG SET loglevel debug

# Check configuration source redis-cli CONFIG GET requirepass ```

Configuration Best Practices

```ini # /etc/redis/redis.conf

# Basic authentication requirepass "strong_password_here"

# ACL file (Redis 6+) aclfile /etc/redis/users.acl

# Protected mode protected-mode yes

# Bind to specific interfaces bind 127.0.0.1 10.0.0.1 ```

ACL file example:

bash
# /etc/redis/users.acl
user admin on >admin_password ~* &* +@all
user app on >app_password ~app:* &* +@read +@write +@connection
user readonly on >read_password ~* &* +@read +@connection
user default off &* -@all

Verification Script

```bash #!/bin/bash # auth_test.sh

PASSWORD="${REDIS_PASSWORD:-}"

if [ -z "$PASSWORD" ]; then echo "ERROR: REDIS_PASSWORD not set" exit 1 fi

# Test connection if redis-cli -a "$PASSWORD" ping 2>/dev/null | grep -q PONG; then echo "OK: Authentication successful" else echo "FAIL: Authentication failed" echo "Checking Redis config..." redis-cli CONFIG GET requirepass exit 1 fi ```

Prevention Checklist

  • [ ] Use strong, unique passwords
  • [ ] Store passwords in secrets/environment variables
  • [ ] Use ACLs for granular permissions (Redis 6+)
  • [ ] Document password change procedures
  • [ ] Test authentication after configuration changes
  • [ ] Rotate passwords regularly
  • [ ] Monitor for authentication failures
  • [ ] Keep backup of ACL configuration
  • [Redis Connection Refused](./fix-redis-connection-refused)
  • [Redis Max Clients Reached](./fix-redis-max-clients)
  • [Redis Protected Mode Blocking](./fix-redis-protected-mode-blocking-remote)