Password Authentication Protocol: Why Choose It?


In our current digital era, the need for secure authentication methods has never been more important. With cyber threats continually evolving, traditional username and password combinations are often seen as vulnerable points of entry.

This rise in threats has made Password Authenticated Protocols (PAP) a very popular option for organizations looking to protect their network. PAP extends beyond the basic username-password, introducing innovative techniques to ensure that only authorized individuals gain entry to sensitive systems.

Unlike traditional methods, PAP leverages cryptographic algorithms to verify the identity of users, enhancing security by mitigating common vulnerabilities such as password interception and brute force attacks. This article will explain the benefit of PAP, shedding light on how these protocols authenticate users while safeguarding sensitive information from potential threats.

By examining successful deployments and potential challenges, readers will gain insights into the practical implications of adopting PAP, empowering them to make informed decisions in an increasingly digital and interconnected world.

What is PAP (Password Authentication Protocol)?

PAP is a PPP authentication method that validates users with passwords. It is an internet standard, password-based authentication protocol and is used to connect a remote user to a server. PAP does not encrypt data and sends it to the authentication server as a plaintext password.

The Main Features of PAP

PAP has several features that differentiate it from other secure authentication protocols, these features  of the PPP secure protocol include:

Cleartext Password

PAP Authentication transmits passwords in cleartext. Once it is received, the authentication server receives the password, and will then compare that password to a known password.

Supported by All Network Operating Systems

When logging into a remote device, PAP is a popular solution because all network operating systems support this authentication process.

Because it is a simple method, this authentication process works with a lot of different systems.

Two-Way Handshake Protocol

PAP is only done at the time the initial link is established with a two-way handshake. It works by sharing a password pair with mutual authentication.


Because it is only done at the initial link establishment with the remote host, PAP is non-interactive throughout the remaining duration of the linked session.

Supports One-Way Authentication and Two-Way Authentication

PAP supports both a one-way handshake and a two-way handshake process. Two-way authentication is very popular because it offers additional security.

One-way authentication and two-way authentication can be established based on specific user needs and system compatibility.

Password Authentication Protocol Use Cases

Wondering when you might use PAP over a different authentication option? Here are some common reasons:

No Support for CHAP

If your network doesn’t support CHAP, PAP authentication requests would be the best option for you. You can use either a one-way authentication or a two-way authentication to set it up. Because of the ease of use and widespread compatibility, PAP is a popular option.

When Plain Text Passwords Are Needed

Plaintext passwords exchanged at the initial link of the authentication phase are how PAP works. Some networks require plaintext passwords to be utilized for authentication credentials. This authentication phase helps connect remote users by exchanging the user passwords during the link establishment phase.

Incompatibilities Between CHAP Vendors

Because of the complex use of CHAP authentication, sometimes CHAP vendors don’t work together. In this case, a PAP connection may be the best option.

PAP vs CHAP: What’s the Difference?

Some working in network security may want to know the difference between PAP and CHAP. There are different uses for each of these authentication protocols.

CHAP is another popular solution that some networks utilize because they believe PAP has a weak authentication scheme due to one-time passwords, and the lack of encryption can lead to potential security issues.

How CHAP Works

A CHAP server uses a three-way handshake process to protect the authentication password from bad actors. It works as follows.

Upon link establishment, the authenticating server sends an authentication challenge.

The network access server performs a hostname lookup on the client and begins the CHAP authentication by sending a “request challenge” message. The challenge involves a challenge string that is randomly generated.

The client utilizes a password known by both the client and server to generate an encrypted one-way hash function using the challenge string.

The server will decrypt the hash and confirm if it matches the initial challenge string. When the strings match, the server will respond with an authentication-success packet. If the strings do not match, the server will send an authentication-failure message response and terminate the session.

How PAP Works

The password authentication protocol, also known as the PPP authentication method, is a client-server authentication protocol that relies on passwords. The implementation of this authentication method is straightforward and simple.

PAP uses a two-way handshake to authenticate users, which involves two steps.

  1. During the process of establishing a PPP session, the user sends a username and password to the server through an authentication request packet.
  2. When the server receives requests, it will accept the provided credentials and verify their match with the stored information in the system. After a match is verified, a response packet called authentication-ack is sent back, and then the server establishes the PPP session with the user. If the credentials do not match, the PPP session is not established and a response packet is returned.

Authentication TypeSimple username and password-based authenticationMore secure challenge-response-based authentication
SecurityRelies solely on plaintext passwords, considered less secureUtilizes encryption and a challenge-response mechanism, considered more secure
Authentication ProcessTwo-way handshake involving the exchange of username and passwordThree-way handshake involving a challenge and response
Server-Side ProcessServer verifies provided credentials directlyThe server verifies provided credentials directly
EncryptionNo encryption used in the authentication processUtilizes encryption to protect authentication credentials
Handling of MismatchMismatched credentials result in session denialMismatched challenge response leads to session termination
Protection against Replay AttacksVulnerable to replay attacks due to one-time use passwordsOffers protection against replay attacks
Overall SecurityLess secure due to the lack of encryption and susceptibility to replay attacksMore secure due to encryption and challenge-response mechanism

Benefits of PAP Over CHAP

Supported by All Network Operating Systems

Because of the simple use of PAP, it is able to be used by all network operating systems. This widespread support makes it more beneficial for some users.

Pap Passwords Allow More Storage at Rest

Because the authentication server has received the password in clear text, a secure format can be chosen for storing the password “at rest”. If the entire database of passwords were stolen, it would be extremely difficult to reverse the function and recover a plaintext password due to computational limitations.

CHAP Advantages Over PAP

For those looking for more security for their network, they may view CHAP as more beneficial for their system. 

More Secure

Its mutual authentication ensures both the client and server validate each other, fostering heightened security. CHAP’s dynamic challenge-response mechanism safeguards against replay attacks, fortifying the authentication process.

CHAP remains resilient in scenarios with intermittent connections, making it suitable for remote access, especially in Virtual Private Network (VPN) setups. This makes it a reliable choice for secure authentication in modern networking

Periodic Authentication

CHAP verifies the identity of the client by using a three-way handshake, which occurs during the establishment of the initial link (known as LCP) and can occur again at any point. The verification is based on a shared secret, such as the client’s password.

Never Share Real Passwords

In CHAP, authenticating systems utilize a shared secret, which is the password, to generate a cryptographic hash using the MD5 hash generator message digest algorithm.

Let Perimeter81 Be Your PAP Solution

The Password Authentication Protocol (PAP) stands as a proven defense of network security, providing an effective means of authentication in diverse environments. With its widespread use, PAP has proven its worth in safeguarding sensitive information during communication between clients and servers.

As technology continues to evolve, so do the challenges in the realm of cybersecurity. While PAP offers a solid foundation for authentication, it is crucial for organizations and individuals to explore and adopt additional layers of security. Consideration should be given to modern authentication methods that leverage advancements like multi-factor authentication, and continuous monitoring to fortify network defenses.

In this era of heightened digital connectivity, the strength of our defenses is only as strong as our commitment to staying ahead of any single attack. Perimeter81 can help ensure that your security strategies match the pace of technological advancements. Together, let us build networks that not only stand the test of time but also inspire confidence in the secure exchange of information.


How many types of password authentication protocols are there?
PAP and CHAP are two of the most common authentication protocols. 

CHAP is a protocol used for authenticating a user or network host to an authenticating entity. It operates by having the authenticating entity challenge the client to hash a secret and send the result. The server then compares the result with its own calculation.

PAP is one of the simplest authentication protocols. It involves the transmission of a username and password (though not in plaintext—typically hashed) from the client to the server. It’s often used in Point-to-Point Protocol (PPP) connections.
What is the difference between PAP and CHAP?
The main distinction between CHAP (Challenge-Handshake Authentication Protocol) and PAP (Password Authentication Protocol) lies in their approaches to authentication.

While both are used in Point-to-Point Protocol (PPP) connections, PAP relies on a simpler method where the client transmits its username and password to the server in plaintext, posing a security risk as sensitive information is exposed during the authentication process.

HAP enhances security by using a challenge-response mechanism, where the server sends a dynamic challenge to the client, which is then encrypted with the password and sent back for verification.
What is the PPP authentication protocol?
The Point-to-Point Protocol (PPP) is a data link layer protocol commonly used to establish a direct connection between two nodes in a network, often over serial connections. PPP provides a standard method for transporting multi-protocol datagrams over point-to-point links.

In a PPP connection, the choice between PAP and CHAP depends on security requirements and the capabilities of the devices involved. CHAP is generally preferred over PAP because it provides a more robust mechanism for authentication, avoiding the transmission of plaintext passwords.
Is password authentication protocol secure?
Password Authentication Protocol (PAP) itself is considered less secure compared to some alternative authentication methods. The primary reason is that PAP involves transmitting passwords (albeit typically hashed) over the network during the authentication process. This creates a potential vulnerability, especially if the communication channel is not adequately secured.

While PAP can provide basic authentication, its security limitations make it less suitable for scenarios where higher levels of protection are required. Implementing stronger authentication methods is advisable for securing sensitive systems and data.