user table. Thus, this issue has a rather low impact. The MySQL authentication uses hashing and a salt in order to prevent authenticating with only a hash or replaying a previously recorded authentication sha1(sha1(pw)) Server -> Client: salt (randomly generated for each connection attempt) Client -> Server: sha1(pw) ^ sha1(salt + sha1(sha1(pw))) Server computes: sha1(client_response ^ sha1(salt + sha1(sha1(pw))) Server the password hash is not known to an attacker, a timing attack is not possible. This is because the salt is never reused and causes unpredictable changes. If the attacker has retrieved the stored password

069c35c2820e1bf33324f27c3fb5852f1/go/mysql/a uth_server.go#L251 func ScrambleMysqlNativePassword(salt, password []byte) []byte { if len(password) == 0 { return nil } // stage1Hash = SHA1(password) Sum(nil) // scrambleHash = SHA1(salt + SHA1(stage1Hash)) // inner Hash crypt.Reset() crypt.Write(stage1) hash := crypt.Sum(nil) // outer Hash crypt.Reset() crypt.Write(salt) crypt.Write(hash) scramble :=