Reading through Rodolfo's tutorial, I get the impression that the
passwords would go across the net in the clear? If so, what's the best
way to have them encrypted?
Your impression is almost correct. AUTH sends things encoded in Base64, so
they won't be obvious to your grandma but they *will* be decodable in
milliseconds by anyone who bothered to sniff the network. Really they're
encoded only to make sure the characters you typed get across perfectly no
matter what they are.
POP and IMAP passwords travel this way too, you know. With AUTH you make a
big step forward, but really encrypting *all* authentication (and, should
the user desire it, data transfer as well) is a necessary next step.
AUTH does provide for encryption via the GSS-something and Kerberos tickets
or something like that; is it obvious I don't know jack about this yet? As
soon as I figure out how to do all of this, I'll happily expand that
tutorial to cover properly setting up encryption.
If someone can teach me, that would also be a Good Thing (tm)... <grin>