On 22/08/17 20:07, Robert Wolf wrote: > On Tue, 22 Aug 2017, Aki Tuomi wrote: > >> else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you >> have enabled something like cram-md5. > > exactly, this is the reason, why plain-text is still needed. You don't need > encryption for authentication, if you have secure authentication. Without > knowing original password, the MITM cannot generate correct hash for login, > so > the connection can be plain-text.
In order to support non plain-text login types the passwords themselves have to be stored in plain-text. If you use PLAIN but only allow authentication over a secure channel then you get the best of both worlds, you can store your passwords as a hash and they are not transmitted as plain text over the internet. Peter