diff --git a/TODO.txt b/TODO.txt
index 62819d8f..c24fad4d 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -1,16 +1,15 @@
 sha256_password auth plugin
-	Tests to prove when auth method mismatch yes/no
-	Separate tests for SSL yes/no
 	Unit tests for auth calculator & refactor
 	Set error_info when there is an auth plugin involved
 		Unknown auth plugin
 		Auth plugin requires SSL
-	Skip integ tests in mariadb (devops)
+	Skip integ tests in mariadb and MySQL 5 (devops)
 	absence may cause BadUser tests to fail in 8.0: remove corrective measures here
 	Test for an unknown auth plugin
 	Update readme
 	Unit test for auth_more_data
 	Integ tests for ssl_enable and YES/NO support for SSL (and maybe checking sha256 fails)
+	Integ tests for different default auth plugins
 Multiresultset
 	Text protocol
 	Binary protocol (stored procedures)
diff --git a/test/integration/handshake.cpp b/test/integration/handshake.cpp
index ba2c6c21..384f3f7a 100644
--- a/test/integration/handshake.cpp
+++ b/test/integration/handshake.cpp
@@ -52,9 +52,16 @@ struct HandshakeTest : public IntegTest,
 		validate_ssl(GetParam().ssl);
 	}
 
-	void load_sha256_cache(const char* user, const char* password)
+	void load_sha256_cache(const std::string& user, const std::string& password)
 	{
-		check_call(stringize("mysql -u ", user, " -p", password, " -e \"\""));
+		if (password.empty())
+		{
+			check_call(stringize("mysql -u ", user, " -e \"\""));
+		}
+		else
+		{
+			check_call(stringize("mysql -u ", user, " -p", password, " -e \"\""));
+		}
 	}
 
 	void clear_sha256_cache()
@@ -149,6 +156,32 @@ TEST_P(HandshakeTest, CachingSha2PasswordEmptyPasswordCacheMiss_SuccessfulLogin)
 	do_handshake_ok();
 }
 
+TEST_P(HandshakeTest, CachingSha2PasswordBadPasswordCacheMiss_FailedLogin)
+{
+	if (skip_sha256() || !should_use_ssl(GetParam().ssl))
+	{
+		GTEST_SKIP();
+	}
+
+	clear_sha256_cache();
+	set_credentials("csha2p_user", "bad_password");
+	auto result = do_handshake();
+	result.validate_error(errc::access_denied_error, {"access denied", "csha2p_user"});
+}
+
+TEST_P(HandshakeTest, CachingSha2PasswordBadPasswordCacheHit_FailedLogin)
+{
+	if (skip_sha256() || !should_use_ssl(GetParam().ssl))
+	{
+		GTEST_SKIP();
+	}
+
+	set_credentials("csha2p_user", "bad_password");
+	load_sha256_cache("csha2p_user", "csha2p_password");
+	auto result = do_handshake();
+	result.validate_error(errc::access_denied_error, {"access denied", "csha2p_user"});
+}
+
 TEST_P(HandshakeTest, NoDatabase_SuccessfulLogin)
 {
 	connection_params.set_database("");