I was asked this question recently, and I thought it was a great little tidbit of knowledge to pass along. The short answer is “no”. The slightly longer answer was written up by Jan Kneschke when dealing with a forum post about proxy + connection pooling.
The clear-text password is _never_ transfered in the authentication phase.
On the network we have:
* client connects to server (no data)
* server sends a seed (40 char, one-time, random)
* client sends 40 char hash of (seed + PASSWORD(clear-text-password))
* server compares against the hash(seed + SELECT password FROM mysql.user WHERE username = )
That way we never have the password as clear-text on the wire. (only in SET PASSWORD or GRANT statements).
Interested in working with Sheeri? Schedule a tech call.