MySQL 8.0.31
Source Code Documentation
Native Authentication


  • The server name is mysql_native_password
  • The client name is mysql_native_password
  • Client side requires an 20-byte random challenge from server
  • Client side sends a 20-byte response packet based on the algorithm described later.

This method fixes a 2 short-comings of the Old Password Authentication

  1. using a tested, crypto-graphic hashing function (SHA1)
  2. knowing the content of the hash in the mysql.user table isn't enough to authenticate against the MySQL Server.

The network packet content for the password is calculated by:

SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) )
static char * password
Definition: sql_yacc.h:692

The following is stored into mysql.user.authentication_string

SHA1( SHA1( password ) )
See also
native_password_authenticate, native_password_auth_client, native_password_client_plugin, native_password_handler, check_scramble_sha1, compute_two_stage_sha1_hash, make_password_from_salt