MySQL  8.0.15
Source Code Documentation
Native Authentication

Authentication::Native41:

  • The server name is mysql_native_password
  • The client name is *mysql_native_password"
  • Client side requires an 20-byte random challenge from server
  • Client side sends a 20-byte response packet based on the algorithm described later.
Requires
CLIENT_SECURE_CONNECTION

This method fixes a 2 short-comings of the Old Password Authentication

  1. using a tested, crypto-graphic hashing function (SHA1)
  2. knowning the content of the hash in the mysql.user table isn't enough to authenticate against the MySQL Server.

The network packet content for the password is calculated by:

SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) )

The following is stored into mysql.user.authentication_string

SHA1( SHA1( password ) )
See also
native_password_authenticate, native_password_auth_client, native_password_client_plugin, native_password_handler, check_scramble_sha1, compute_two_stage_sha1_hash, make_password_from_salt