> On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote:
> >>> If you use CRAM-MD5 for the AUTH method, it's impossible to sniff
> >>> the cleartext password.
> > I don't bet on this. If you tape the SMTP dialoge, its easy to
> > the password.
> I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64
> encoded cleartext and you can determine the password from them.
> CRAM-MD5 involves a one-way hash. It is impossible to reverse the
> and determine the cleartext password. Each time you connect, a
> different challenge results in a different response. The only way the
> server and client can generate the correct response is to have the
> cleartext password available.
> Given the challenge and response, it is not possible to generate the
> cleartext password.
I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get
the password unpossible excepting brute force.
The only real problem it has is that MD5 collisions are increasingly
easy to generate (down from 2^63 to the range of 2^48), however they're
still far from a practical means of faking authentication.