Re: SMTP AUTH LOGIN question

[David Varieur <davar () mwvcaa org>]

On Tue, 28 Jan 2003 15:56:55 -0500
Frank Barton <pauling () starwolf biz> wrote:

> I have seen many places saying "Don't use PLAIN or LOGIN methods for SMTP AUTH, unless they are encrypted" Now my 
> question is this:
> I've looked at the actual transfer of an SMTP session where the AUTH LOGIN was used, and the password wasn't sent in 
> plain-text. Is it trivial to decrypt the 
> username and password that is sent across the wire, or is there some other vulnerability?
> -- 
> Frank Barton
> Starwolf.biz Systems Administrator

Hi Frank,

The authentication data is Base64 encoded text. Yes, it is trivial to decode (man mmencode).