A clear-text authentication scheme used in Point-to-Point Protocol (PPP) connections over WAN links that is outlined in Request for Comments (RFC) 1334. Password Authentication Protocol (PAP) is not a secure form of authentication because the user’s credentials are passed over the link in unencrypted form. For this reason, Challenge Handshake Authentication Protocol (CHAP) or some other authentication protocol is preferable if the remote client supports it. If the password of a remote client using PAP has been compromised, the authentication server can be attacked using replay attacks or remote client impersonation.
PAP uses a two-way handshake to perform authentication. Once the PPP link is established using the Link Control Protocol (LCP), the PPP client sends a username and password to the PPP server. The server uses its own authentication scheme and user database to authenticate the user, and if the authentication is successful, the server sends an acknowledgment to the client.
PAP is typically used only if the remote access server and the remote client cannot negotiate any higher form of authentication. The remote client initiates the PAP session when it attempts to connect to the PPP server or router. PAP merely identifies the client to the PPP server; the server then authenticates the client based on whatever authentication scheme and user database are implemented on the server.
You should disable PAP on the Remote Access Service (RAS) for Microsoft Windows NT to ensure that user passwords are never sent as clear text over an unsecured connection.