Password Authentication Protocol

The Password Authentication Protocol (PAP) is a straightforward two-way handshake authentication mechanism employed within the Point-to-Point Protocol (PPP) framework to verify the identity of a connecting peer by transmitting its username (Peer-ID) and password in plaintext over the link.^[1] Defined initially in 1990 as part of early PPP specifications, PAP enables network access servers or authenticators to authenticate dial-up or switched-circuit connections from hosts and routers before allowing network-layer protocols to proceed.^[2] In operation, the peer initiates authentication by sending an Authenticate-Request packet containing its Peer-ID and password to the authenticator, which then validates the credentials against a local or remote database.^[3] If valid, the authenticator responds with an Authenticate-Ack packet (Code 2), advancing the PPP phase to network-layer configuration; otherwise, it issues an Authenticate-Nak (Code 3), potentially terminating the link after repeated failures.^[4] This process occurs after link establishment and quality determination but before higher-layer protocol negotiation, using PPP protocol field hexadecimal value C023 for PAP packets.^[2] Despite its simplicity, PAP has significant security limitations, as passwords are sent unencrypted, exposing them to eavesdropping, replay attacks, and brute-force attempts on open networks.^[5] For this reason, it supports only unilateral authentication (peer to authenticator) and is considered a weak method, with standards recommending negotiation of stronger alternatives like the Challenge-Handshake Authentication Protocol (CHAP) whenever possible.^[5] Updated in 1992 to refine packet formats and error handling, PAP was later deprecated in modern authentication contexts due to these vulnerabilities, particularly in environments like RADIUS where cleartext transmission amplifies risks.^[6] Today, it persists primarily in legacy systems or controlled networks where simplicity outweighs security needs, though its use is strongly discouraged in favor of encrypted protocols.^[6]

Overview

Definition and Purpose

The Password Authentication Protocol (PAP) is a simple authentication mechanism integrated into the Point-to-Point Protocol (PPP), designed to verify the identity of communicating peers through a two-way handshake process.^[1] In this protocol, the peer attempting to connect sends its username and password in plaintext to the authenticator, which checks these credentials against a local database or configured values to confirm legitimacy.^[1] This approach enables basic identity verification without complex cryptographic operations, making PAP suitable for environments where simplicity is prioritized.^[7] The core purpose of PAP is to establish access control during the initial setup of point-to-point network links, such as those used in dial-up connections or serial interfaces, by ensuring that only authorized peers can advance to full data exchange.^[1] It serves as a foundational step to prevent unauthorized access to network resources, simulating a traditional remote login process where the peer must prove its identity before gaining session privileges.^[7] By operating within the PPP framework, PAP contributes to the overall reliability of link establishment without introducing encryption, focusing instead on straightforward credential validation.^[1] A key aspect of PAP's operation is its positioning within the PPP negotiation sequence: it activates after the Link Control Protocol (LCP) has successfully configured the physical and data link layers, but before the Network Control Protocol (NCP) configures higher-layer network protocols.^[1] This timing ensures that authentication occurs at a critical juncture, providing essential access gating while maintaining the protocol's minimal overhead and ease of deployment in legacy or resource-constrained networking scenarios.^[7]

History and Development

The Password Authentication Protocol (PAP) was first proposed in the initial PPP specification, RFC 1172 (July 1990), and emerged in the early 1990s as a component of the Point-to-Point Protocol (PPP) suite, designed to enable authentication for Internet Protocol (IP) datagrams transmitted over serial links such as dial-up modems.^[2] PPP itself developed as a successor to the Serial Line Internet Protocol (SLIP), which lacked robust support for multiple network protocols and error detection, to meet the expanding needs of remote network access in TCP/IP environments during the pre-broadband era.^[8] PAP was formally standardized in October 1992 through RFC 1334, authored by B. Lloyd of Lloyd & Associates and W. Simpson of Daydreamer, under the auspices of the Internet Engineering Task Force (IETF) Point-to-Point Protocol Working Group.^[9] This document outlined PAP as one of two primary authentication mechanisms for PPP—alongside the Challenge-Handshake Authentication Protocol (CHAP)—to address the authentication requirements following initial link establishment in switched circuits or dial-up scenarios.^[9] The protocol's creation responded directly to the surging demand for reliable remote access authentication as Internet connectivity grew via serial connections, extending beyond SLIP's limitations to support broader TCP/IP integration for hosts and routers.^[10] Early adoption of PAP occurred prominently in Unix-like operating systems, such as Solaris, where it integrated into PPP configurations for dial-up user validation using files like /etc/ppp/pap-secrets, and in initial Internet routers handling modem-based access.^[11]

Technical Specifications

Authentication Process

The Password Authentication Protocol (PAP) employs a straightforward two-way handshake to verify the identity of a peer during the establishment of a Point-to-Point Protocol (PPP) link. In this mechanism, the peer seeking authentication initiates the process by transmitting an Authenticate-Request packet containing its username (Peer-ID) and password in plaintext. The authenticator, upon receiving this packet, validates the provided credentials against its local database or configured authentication system. If the credentials are correct, the authenticator responds with an Authenticate-Ack packet, confirming successful authentication and including an optional message; conversely, if the credentials are invalid, it sends an Authenticate-Nak packet with a brief error message indicating the failure.^[1] Within the PPP framework, the PAP authentication sequence occurs immediately after the Link Control Protocol (LCP) has successfully established and configured the link but before the Network Control Protocol (NCP) negotiates and assigns network-layer addresses, such as IP addresses. This positioning ensures that authentication is a prerequisite for progressing to network-layer operations, with PAP itself being an optional phase negotiated via the Authentication-Protocol Configuration Option during LCP. The peer may repeat the transmission of Authenticate-Request packets until it receives a response or a local retry counter expires, allowing for basic handling of transient transmission issues without a formal retry protocol defined within PAP. Successful completion of this handshake is mandatory for the session to advance; failure results in link termination, as the authenticator may issue an LCP Terminate-Request following an Authenticate-Nak.^[1] The operational flow begins with the peer generating an Authenticate-Request, which includes a unique Identifier field to correlate it with the forthcoming response. The authenticator processes this request by cross-referencing the username and password against its authentication database, performing the validation locally without involving external servers in the basic PAP design. Upon validation, the authenticator crafts and sends either the Authenticate-Ack or Authenticate-Nak, matching the Identifier to ensure the response pertains to the correct request. In cases of post-authentication scenarios, such as link re-establishment, the peer can resend Authenticate-Requests, but persistent failures trigger LCP termination procedures to indicate issues like a lost Nak response. This sequence maintains a simple, unidirectional authentication direction from peer to authenticator, emphasizing efficiency over complexity in link setup.^[1]

Packet Format

The Password Authentication Protocol (PAP) packets are encapsulated within the Information field of Point-to-Point Protocol (PPP) Data Link Layer frames, using the protocol number 0xc023 to identify PAP traffic.^[1] All PAP packets share a common header structure consisting of a one-octet Code field, a one-octet Identifier field, and a two-octet Length field. The Code field specifies the packet type: 1 for Authenticate-Request, 2 for Authenticate-Ack, and 3 for Authenticate-Nak. The Identifier field aids in matching requests with their corresponding replies. The Length field indicates the total length of the PAP packet, including the header and all data fields, in octets.^[1] The Authenticate-Request packet, sent by the peer seeking authentication, follows the header with a one-octet Peer-ID Length field, the variable-length Peer-ID string, a one-octet Password Length field, and the variable-length Password string. The Peer-ID and Password are transmitted as plaintext ASCII strings, using displayable characters in the range of decimal 32 to 126, with their lengths explicitly specified to delimit the fields.^[1] The Authenticate-Ack and Authenticate-Nak packets, sent by the authenticator in response, follow the header with a one-octet Msg-Length field and an optional variable-length Message string. The Message provides human-readable feedback, such as an error indication, and is also encoded in displayable ASCII characters from decimal 32 to 126, with its length given by the Msg-Length field.^[1]

Field	Size (octets)	Description
Common Header
Code	1	Packet type (1=Request, 2=Ack, 3=Nak)
Identifier	1	Matches requests and replies
Length	2	Total packet length
Authenticate-Request Data
Peer-ID Length	1	Length of Peer-ID string
Peer-ID	Variable	ASCII peer identifier
Password Length	1	Length of Password string
Password	Variable	ASCII password
Authenticate-Ack/Nak Data
Msg-Length	1	Length of Message string
Message	Variable	Optional ASCII message

Security Analysis

Vulnerabilities and Risks

The Password Authentication Protocol (PAP) transmits user credentials, including passwords, in plaintext over the network, rendering it highly susceptible to eavesdropping attacks where malicious actors intercept traffic using tools such as packet sniffers.^[1]^[12] This vulnerability is exacerbated in unencrypted environments like traditional Point-to-Point Protocol (PPP) sessions, allowing attackers to capture and directly read authentication data without additional decryption efforts.^[13] For instance, network monitoring software can readily expose these credentials during transmission, facilitating unauthorized access to systems.^[12] PAP employs one-way authentication, verifying only the client (peer) against the server (authenticator) without confirming the server's identity to the client, which leaves it open to man-in-the-middle (MITM) attacks.^[1] In such scenarios, an attacker can impersonate the legitimate server, tricking the client into sending credentials to the wrong entity while relaying responses to maintain the deception.^[14] This lack of mutual verification stems from PAP's simple two-way handshake design, which does not incorporate mechanisms to bind sessions or validate the authenticator's legitimacy.^[13] The protocol offers no inherent replay protection or session binding, as it relies on static credentials without unique challenges or timestamps, enabling attackers to capture and reuse authentication packets for repeated unauthorized access.^[1] Captured plaintext credentials further support offline dictionary attacks, where adversaries systematically test common password lists against the intercepted data, or credential stuffing, where stolen pairs are tried across multiple services due to user reuse patterns.^[13] These weaknesses persist because PAP does not employ cryptographic hashing or nonces to prevent such reuse.^[1] PAP was used in legacy dial-up networking environments, where unencrypted phone lines and PPP connections allowed straightforward interception of credentials by physically tapping circuits or using early sniffing tools.^[13] In these pre-broadband systems, the protocol's plaintext nature amplified risks in unmonitored or shared access scenarios, and it is now considered inadequate for modern security standards due to these persistent threats.^[1]

Comparison with CHAP

The Password Authentication Protocol (PAP) employs a two-way handshake, where the peer sends an authentication request containing the username and password in plaintext to the authenticator, which responds with an acknowledgment or rejection based on verification.^[1] In contrast, the Challenge-Handshake Authentication Protocol (CHAP) utilizes a three-way handshake: the authenticator initiates with a challenge packet containing a random value, the peer responds with a hashed value derived from the challenge, identifier, and shared secret, and the authenticator replies with success or failure.^[15] This structural difference in CHAP prevents passive eavesdroppers from capturing the full authentication exchange in a single transmission, unlike PAP's straightforward request-response.^[1]^[15] Security-wise, PAP transmits the password in cleartext, exposing it directly to interception on insecure links and enabling replay attacks if captured.^[1] CHAP addresses this by never sending the password; instead, it computes a one-way hash—typically MD5—of the challenge concatenated with the shared secret, ensuring the secret remains undisclosed even if the response is intercepted.^[15] Additionally, CHAP's use of unique, unpredictable challenges per session mitigates replay risks, a vulnerability inherent in PAP's static credentials.^[1]^[15] In terms of implementation, PAP's simplicity makes it compatible with legacy systems requiring minimal computational overhead, as it avoids hashing or challenge generation.^[1] CHAP, however, demands more resources for hash computations and shared secret management on both ends, though it supports mutual authentication when negotiated bidirectionally.^[15] Both protocols operate within the Point-to-Point Protocol (PPP) framework to authenticate peers over serial links.^[1]^[15] CHAP evolved directly as an enhancement to PAP, formalized in RFC 1994 to counter eavesdropping and passive attacks by incorporating periodic re-challenges after initial authentication, thereby providing ongoing verification without repeated secret exposure.^[15] This design shift underscores PAP's limitations in modern contexts, positioning CHAP as the preferred method for PPP authentication where security is prioritized.^[1]^[15]

Usage and Modern Context

Applications in Networking

The Password Authentication Protocol (PAP) finds its primary application within the Point-to-Point Protocol (PPP) framework for authenticating users over serial lines, Integrated Services Digital Network (ISDN), and Digital Subscriber Line (DSL) connections in legacy remote access servers. In these environments, PAP performs initial authentication during PPP link establishment, often integrating with Remote Authentication Dial-In User Service (RADIUS) servers to enable centralized credential verification for dial-in users.^[16]^[17] Historically, PAP saw widespread deployment in the 1990s among dial-up Internet service providers (ISPs) and early virtual private network (VPN) setups, where it authenticated modems and routers connecting remote clients to network access servers over switched circuits. This usage was prevalent in scenarios requiring simple, two-way handshake verification to simulate traditional remote host logins, facilitating broad internet access before more secure alternatives emerged.^[18] In niche modern contexts, PAP persists in embedded systems and Internet of Things (IoT) devices that employ PPP for connectivity, such as industrial routers or legacy serial interfaces where implementation simplicity is prioritized. It also serves as an occasional fallback mechanism in Cisco and Juniper routers for PPP authentication when preferred protocols fail, and in testing environments to validate basic network authentication flows. As of 2025, vendors like Cisco and Juniper continue to support PAP for legacy compatibility, though with security warnings.^[16]^[19]^[20] Following successful PAP authentication, PPP proceeds to negotiate Network Control Protocols, such as the IP Control Protocol (IPCP), which assigns IP addresses to authenticated peers, enabling seamless transition to data transmission in these networked applications.^[16]

Deprecation and Alternatives

The Password Authentication Protocol (PAP) has been classified as obsolete by the Internet Engineering Task Force (IETF), which explicitly describes it as a deprecated cleartext password authentication protocol for Point-to-Point Protocol (PPP) environments due to its inherent security weaknesses.^[6] Networking standards discourage PAP in favor of encrypted methods. Key alternatives to PAP prioritize encryption and stronger verification. Within PPP contexts, the Challenge-Handshake Authentication Protocol (CHAP) serves as a direct upgrade by hashing passwords during transmission. For broader network access, the Extensible Authentication Protocol (EAP) framework offers variants like EAP-Transport Layer Security (EAP-TLS), which uses mutual certificate-based authentication, and Protected EAP (PEAP), which tunnels inner methods within TLS to protect credentials. In Microsoft Windows environments, MS-CHAPv2 provides an enhanced, challenge-response mechanism compatible with PPP and RADIUS. For web-based and API access, protocols such as OAuth 2.0 enable token-based authorization without exposing passwords, while Security Assertion Markup Language (SAML) facilitates federated identity management across domains. Transitioning from PAP involves targeted migrations to mitigate risks while maintaining compatibility. In PPP setups, administrators should prioritize shifting to CHAP or EAP methods, updating configurations on routers and access servers to enforce these protocols exclusively.^[21] Where legacy systems necessitate PAP retention, encapsulating it within a TLS/SSL tunnel—such as via EAP-TTLS/PAP—can provide interim protection, though this approach remains suboptimal and demands swift replacement with native encrypted alternatives.^[22] PAP's plaintext handling contravenes regulatory standards for credential security, accelerating its obsolescence. The Payment Card Industry Data Security Standard (PCI-DSS) requires strong cryptography and security protocols to protect authentication factors during transmission (e.g., Requirement 4.1).^[23] Similarly, the General Data Protection Regulation (GDPR) Article 32 requires appropriate technical measures, including encryption, for personal data like passwords, making cleartext protocols a violation of data protection principles. These constraints have prompted widespread recommendations to phase out PAP in enterprise networks, favoring compliant alternatives to avoid fines and breaches.