I was asked this question recently, and I thought it was a great little tidbit of knowledge to pass along. The short answer is "no". The slightly longer answer was written up by Jan Kneschke when dealing with a forum post about proxy + connection pooling.From http://forums.mysql.com/read.php?146,169265,169700The clear-text password is _never_ transfered in the authentication phase.On the network we have:

The answers to the last pop quiz are up: http://www.pythian.com/blogs/868/pop-quiz-mysql-clusterSo here's another pop quiz. Given the following:Welcome to the MySQL monitor. Commands end with ; or \\g.Your MySQL connection id is 16450949 to server version: 4.1.14-standard-logType 'help;' or '\\h' for help. Type '\\c' to clear the buffer.mysql> select count(*),length(password) from mysql.user group by l

I was recently asked a question by someone who had attended my Shmoocon talk entitled "Why are Databases So Hard to Secure?". PDF slides are available (1.34 Mb). I was going to put this into a more formal structure, but the conversational nature works really well. I would love to see comments reflecting others' thoughts.I found several things of interest in your talk about database security and several new things to think about.In particular I realized that DBMSs have at least two hats in the world of software architecture namely as technical services ("smart file system") and as application framework. Perhaps that "depth" is one of the reasons why dbms is hard to secure? For example, considering just the question of who or what have user roles within a DBMS deployment. From the "deep" point of view, the "user" could be an application, or a module, or just the next layer up  []