Password Authentication Protocol

PAP is also used to describe password authentication in other protocols such as RADIUS and Diameter. However, those protocols provide for transport or network layer security, and therefore that usage of PAP does not have the security issues seen when PAP is used with PPP. ==Benefits of PAP==

When the client sends a clear-text password, the authentication server will receive it, and compare it to a "known good" password. Since the authentication server has received the password in clear-text, the format of the stored password can be chosen to be secure "at rest". If an attacker were to steal the entire database of passwords, it is computationally infeasible to reverse the function to recover a plaintext password. As a result, while PAP passwords are less secure when sent over a PPP link, they allow for more secure storage "at rest" than with other methods such as CHAP. ==Working cycle==

PAP authentication is only done at the time of the initial link establishment, and verifies the identity of the client using a two-way handshake. • Client sends username and password. This is sent repeatedly until a response is received from the server. • Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise) ==PAP packets==

PAP packet embedded in a PPP frame. The protocol field has a value of C023 (hex). ==See also==