Encrypted password or unencrypted password?

There are two methods of password authentication in encrypted form:
     1. Use an encrypted password on an unencrypted connection
     2. Use an unencrypted password on an encrypted connection

The first method is clearly not recommended. A typical example is the CRAM-MD5 mech.
Second, authentication over an encrypted connection with a cipher suite, for example TLS_AES_256_GCM_SHA384 of TLSv1.3 is secure.

By TLS, we mean entity authentication with digital certificates, at least for server with server certificates.
With TLSv1.3 the session key is randomly ephemeral generated using Perfect Forward Secrecy, which ensures non-repeating session keys. Thus, for example, if the session key is exposed, it will not affect the data of another session. Likewise, because the session key has nothing to do with the server's private key, if the server is compromised, the server's private key cannot decrypt the previously captured data.

What is session key used for?
It is the key of the symmetric encryption cipher, used to encrypt communication bulk data, the cipher here is 256-bit AES. The mode of operation of the cipher is counter (GCM - Galois Counter Mode). So AES_256_GCM goes into a cluster.

The encryption does not guarantee integrity.
There is no guarantee that the data received by the recipient is intact. From here comes the concept of authenticated encryption. This work is done using the hash function SHA384.

Password authentication like?
This is server authenticating client, see if the client has a credential to use its authentication-required service. On a TLS connection, passwords and other authentication-required information are presented by the client to the server as a normal transaction. All data has been securely encrypted as above. If authentication is successful, the client becomes an authenticated user. This applies to any service that uses a TLS connection.

Thus, an unencrypted password is more secure than an encrypted password.

Authentication mechanism
There are several different authentication mechanisms, but as we know there should be no problem using PLAIN mechanism on a TLS connection.
To practice, telnet to the mail server:

telnet 25

Then type the EHLO command:

EHLO localhost

Next, enter the AUTH command:

AUTH PLAIN 12345678

You will receive a notification as following:

503 TLS encryption or CRAM-MD5 required

That means the condition for authentication is TLS connection or using CRAM-MD5 authentication mechanism. We connect to port 25 unencrypted so being refused.

What's the contradiction here?

Actually I've configured the server to only accept authentication on TLS connection, and CRAM-MD5 matter is just a notification that I haven't modified. Do we need to fix it? unnecessary.
The complete error message is a vulnerability for an error attack.

To make a TLS connection to the mail server, run this command:

openssl s_client -connect -starttls smtp

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 1 + 6?