Password authentication protocol is a way of sending passwords over a network. The passwords are sent unencrypted after an initial link is made with the remote computer. This protocol is not considered safe and is used only when connecting to an older Unix computer that does not support more secure authentication.
The initial connection is made through a two-way handshake. Once the initial link is established and then the ID/password pair is sent to the remote server. The authentication request is sent repeatedly from the client until the request is acknowledged or terminated. To accept the password, the remote server must transmit a password authentication protocol packet with the code set to authenticate-ack. If the password is not accepted, the remote server must transmit a password authentication protocol packet with the code set to authenticate-nak and the connection is terminated.
The password authentication protocol is considered an insecure method of transmitting passwords. The passwords are sent across the network in plain text form and are easily readable from the Point-to-Point Protocol (PPP) packets. There are no protection devices in place to secure the password from password sniffing, playback or trial-and-error attacks. Also, the client is in charge of the frequency and timing of the password connection attempts.
Password authentication protocol has been outmoded by more secure protocols such as the Challenge Handshake Protocol (CHAP) and the Extensible Authentication Protocol (EAP). The more secure protocols use encryption techniques for authentication purposes. CHAP is used by PPP servers. EAP is used by both wireless networks and point-to-point connections.
The Challenge Handshake Protocol verifies the identity of the client via a three-way handshake and a shared secret. After the initial link is established, the remote server sends a challenge message to the client. The client calculates a one-way hash function that combines the challenge and the secret and sends the hash function back to the server.
The server checks the value against its own calculated value and acknowledges the connection if it matches. If the hash values do not match, the connection is terminated. This procedure is repeated at random intervals while the client and server are connected.
The Extensible Authentication Protocol is an authentication framework, not a true authentication protocol. EAP only defines the message format and provides common functions and negotiation of authentication methods. There are a large number of EAP protocols defined by both Request for Comments (RFCs) and by specific vendors.