> On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: > >>> If you use CRAM-MD5 for the AUTH method, it's impossible to sniff > >>> the cleartext password. > > > > I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt > > the password. > > I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 > encoded cleartext and you can determine the password from them. > CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash > and determine the cleartext password. Each time you connect, a > different challenge results in a different response. The only way the > server and client can generate the correct response is to have the same > cleartext password available. > > Given the challenge and response, it is not possible to generate the > cleartext password.
I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get the password unpossible excepting brute force. The only real problem it has is that MD5 collisions are increasingly easy to generate (down from 2^63 to the range of 2^48), however they're still far from a practical means of faking authentication.