cherti
commented
3 years ago Thanks very much for the PR.
However, I'm afraid I do have my reservations about it as I see a couple of difficulties: First of all, I think the PLAIN-mechanism is the most widely available, whereas CRAMMD5, while certainly popular, comes with a number of difficulties, among these the requirement to keep a user's credentials in plain text on the server, as I see no other way to construct the challenge, whereas this is not required with PLAIN. So migrating to CRAMMD5 as a sole authentication mechanism one would have to remove some powerful server side protections against password theft, and compared to that, MD5 is not really a good hashing algorithm anymore to use especially on a plaintext wire. I briefly checked with hashcat and I get a ballpark estimate of Gigahashes/s on a rather mediocre GPU, hence breaking an MD5-hash is not as difficult as it should be for protecting a password, so CRAMMD5 doesn't seem to be a valid replacement for TLS, even if the default implementation of Go would accept it as such. Hence, I unfortunately do not see much gain, however notable drawbacks changing the default auth mechanism and personally and I'm not too sure if connections without TLS are worth supporting.
Hence, I currently don't think that changing the authentication mechanism to CRAMMD5 is a good idea, sorry.
https://stackoverflow.com/a/11066064