Re: security: PAP v CHAP

To: "Wilson Yau" <wyau@parabletelecom.com>, "Debian User Mailing List" <debian-user@lists.debian.org>
Subject: Re: security: PAP v CHAP
From: "Kevin Ross" <kevin@FamilyRoss.net>
Date: Thu, 24 May 2001 03:36:16 -0700
Message-id: <[🔎] 00f701c0e43d$9b5d87f0$0200a8c0@familyross.net>
References: <[🔎] 3B0CDED0.FBC039D8@parabletelecom.com>

> Qn./ Which is more secure, PAP or CHAP?
>
> Some people said PAP, some told me CHAP.
> If PAP is less secure, why most ISPs are using PAP for subscribers'
> authentication?

PAP sends your password in cleartext.  CHAP uses an encrypted
challenge-response method.  Therefore, CHAP is more secure than PAP.

Why do most ISPs only support PAP, and not CHAP?  For their convenience, not
yours.  CHAP requires that the passwords be stored on their system in a
cleartext, or reversibly-encrypted form.  Since most systems default to
storing passwords in a one-way encrypted form, this is more hassle for them.
Also, maybe they're worried about someone stealing their password file, and
then someone would have everyone's password.

-- Kevin

Reply to:

References:
- security: PAP v CHAP
  - From: Wilson Yau <wyau@parabletelecom.com>

Prev by Date: Re: Printer
Next by Date: Re: About PGP signatures
Previous by thread: security: PAP v CHAP
Next by thread: gkrellm mail plugin / fetchmail / exim basics
Index(es):
- Date
- Thread