diff --git a/docs/pages/database-access/guides/mysql-self-hosted.mdx b/docs/pages/database-access/guides/mysql-self-hosted.mdx
index f963a5b9d0cc1..e71f4f72afe4d 100644
--- a/docs/pages/database-access/guides/mysql-self-hosted.mdx
+++ b/docs/pages/database-access/guides/mysql-self-hosted.mdx
@@ -54,8 +54,8 @@ which you'll need to enable mutual TLS on your MySQL server.
 ## Step 3/4. Configure MySQL/MariaDB
 
 <Tabs>
-  <TabItem label="MySQL">
-  To configure MySQL to accept TLS connections, add the following to your
+<TabItem label="MySQL">
+To configure MySQL to accept TLS connections, add the following to your
 MySQL configuration file, `mysql.cnf`:
 
 ```conf
@@ -65,9 +65,10 @@ ssl-ca=/path/to/server.cas
 ssl-cert=/path/to/server.crt
 ssl-key=/path/to/server.key
 ```
-  </TabItem>
-  <TabItem label="MariaDB">
-  To configure MariaDB to accept TLS connections, add the following to your
+
+</TabItem>
+<TabItem label="MariaDB">
+To configure MariaDB to accept TLS connections, add the following to your
 MariaDB configuration file, `mysql.cnf`:
 
 ```conf
@@ -77,29 +78,55 @@ ssl-ca=/path/to/server.cas
 ssl-cert=/path/to/server.crt
 ssl-key=/path/to/server.key
 ```
-  </TabItem>
+
+</TabItem>
 </Tabs>
 
 Additionally, your MySQL/MariaDB database user accounts must be configured to require a
-valid client certificate. If you're creating a new user:
+valid client certificate.
+
+<Tabs>
+<TabItem label="New User">
+Create a new user:
 
 ```sql
 CREATE USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice';
 ```
 
-If you're updating an existing user:
+By default, the created user may not have access to anything and won't be able
+to connect, so let's grant it some permissions:
+
+```sql
+GRANT ALL ON `%`.* TO 'alice'@'%';
+```
+
+<Admonition type="warning">
+This is an example command that grants database-wide permissions to a user.
+In a production environment you should follow the principle of least privilege
+</Admonition>
+</TabItem>
+<TabItem label="Existing User">
+
+Because Teleport uses certificates to authenticate database users, the user must
+not have a password set. Note that removing an existing user's password may break
+existing integrations. Consider using a new Database user specifically for Teleport
+access.
+
+Update the existing user to require a valid certificate:
 
 ```sql
 ALTER USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice';
 ```
 
-By default, the created user may not have access to anything and won't be able
-to connect, so let's grant it some permissions:
+Remove the password from the user:
 
 ```sql
-GRANT ALL ON `%`.* TO 'alice'@'%';
+SET PASSWORD FOR 'alice'@'%' = PASSWORD("");
 ```
 
+</TabItem>
+</Tabs>
+
 See
 [Configuring MySQL to Use Encrypted Connections](https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html)
 in the MySQL documentation or