1. Clear


Although this method is still supported, it is deprecated and should not be used. Client authors should use another authentication method if it is available to them.

The default authentication method is known as “clear”, which refers to the fact that passwords are being sent as plain-text (“in the clear”). Though clients have the ability to encrypt passwords in a one way hash function (MD5) and send them to the server (as hpassword), they are still vulnerable to replay attacks if the hashed password becomes known.

Clear” authentication occurs when a username and either password or hpassword is passed to any client server protocol method. Generally, if a publicly-available client refers to using “clear” authentication, rather than challenge-response auth, its author will have implemented password encryption using hpassword instead of sending the password in plain-text to the server.