On 22/08/17 20:07, Robert Wolf wrote:
On Tue, 22 Aug 2017, Aki Tuomi wrote:
else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you have enabled something like cram-md5.
exactly, this is the reason, why plain-text is still needed. You don't need encryption for authentication, if you have secure authentication. Without knowing original password, the MITM cannot generate correct hash for login, so the connection can be plain-text.
In order to support non plain-text login types the passwords themselves have to be stored in plain-text. If you use PLAIN but only allow authentication over a secure channel then you get the best of both worlds, you can store your passwords as a hash and they are not transmitted as plain text over the internet.
Peter