diff --git a/client/auth.go b/client/auth.go
index cb479f3ba..006f71e11 100644
--- a/client/auth.go
+++ b/client/auth.go
@@ -115,11 +115,11 @@ func (c *Conn) readInitialHandshake() error {
 			// the first packet *must* have at least 20 bytes of a scramble.
 			// if a plugin provided less, we pad it to 20 with zeros
 			rest := int(authPluginDataLen) - 8
-			if max := 12 + 1; rest < max {
-				rest = max
+			if rest < 13 {
+				rest = 13
 			}
 
-			authPluginDataPart2 := data[pos : pos+rest]
+			authPluginDataPart2 := data[pos : pos+rest-1]
 			pos += rest
 
 			c.salt = append(c.salt, authPluginDataPart2...)
diff --git a/client/client_test.go b/client/client_test.go
index 3917db3f5..1008a101b 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -526,3 +526,16 @@ INSERT INTO field_value_test VALUES (
 		require.Equal(s.T(), expected[i], v.String())
 	}
 }
+
+func (s *clientTestSuite) TestLongPassword() {
+	_, err := s.c.Execute("DROP USER IF EXISTS 'test_long_password'@'%'")
+	require.NoError(s.T(), err)
+	_, err = s.c.Execute("CREATE USER 'test_long_password'@'%' IDENTIFIED BY '12345678901234567890'")
+	require.NoError(s.T(), err)
+
+	addr := fmt.Sprintf("%s:%s", *test_util.MysqlHost, s.port)
+	c, err := Connect(addr, "test_long_password", "12345678901234567890", "")
+	require.NoError(s.T(), err)
+	err = c.Close()
+	require.NoError(s.T(), err)
+}