Although this method is still supported, it is deprecated and should not be used. Client authors should use another authentication method if it is available to them.
The default authentication method is known as “clear”, which refers to the fact that
are being sent as plain-text (“in the clear”). Though clients have the ability to encrypt passwords
in a one way hash function (MD5) and send them to the server (as
hpassword), they are still
vulnerable to replay attacks if the hashed password becomes known.
“Clear” authentication occurs when a
username and either
hpassword is passed to any client server protocol method.
Generally, if a publicly-available client refers to using “clear” authentication, rather than
challenge-response auth, its author will have implemented password encryption using
hpassword instead of sending the password in plain-text to the server.