http://mysqlblog.fivefarmers.com/2015/04/10/improved-alter-user-syntax-support-in-5-7/
Before MySQL Server 5.7.6, ALTER USER could only be used to expire a user’s password. That’s pretty limited. With changes made in MySQL Server 5.7.6, a better distinction is made between privilege-level attributes (those which are managed via GRANT and REVOKE statements) and account-level attributes (those managed using CREATE USER and ALTER USER statements). MySQL has a long history of confusing these – for example, requiring a GRANT command to set account resource limits or require SSL. This all changes for the better in MySQL Server 5.7 – here’s how:
Account attributes
These are consistent with CREATE USER – the same attributes which can be defined with a CREATE USER command can now be modified using an ALTER USER command. These attributes are:
Password/credentials or auth plugin mapping
Authentication plugin type
SSL/X509 requirements
Resource constraints
Password expiration status and policy
Account locking
These attributes, and the syntax by which they are modified, is now consistent across CREATE USER and ALTER USER commands.
http://mysqlblog.fivefarmers.com/2015/04/09/create-user-improvements/
Prior to MySQL 5.7, the CREATE USER command had a number of limitations:
No way to set both authentication plugin and password
No way to disable a user
No way to define user resource limitations
No way to set a non-default password expiration policy
No way to require SSL/x509
All of these things could be done through other means, but typically involved other statements, such as GRANT commands. Starting with MySQL 5.7.6, these can all be done through a new and improved CREATE USER syntax: