Here is the specification for LOGIN: LOGIN mechanism The mechanism name associated with the LOGIN mechanism is "LOGIN". The authorization identity is the same string as the "user name" in the traditional (non-SASL) LOGIN or USER commands; the authorization authenticator is the same string as the traditional "password". 1. Client side of authentication protocol exchange If the protocol permits an initial response as an optional parameter to the authentication command, the client MAY provide the authorization identity as that parameter. Otherwise, the client expects the server to issue a challenge and responds with the authorization identity. The client then expects the server to issue a challenge and responds with the authorization authenticator. The contents of any challenges SHOULD be ignored. This completes the client-side LOGIN authentication. 2. Server side of authentication protocol exchange If the protocol permits an initial response as an optional parameter to the authentication command and that parameter is supplied, this response is recorded as the authorization identity. Otherwise, the server issues a string which SHOULD be "Username:" in challenge, and receives a client response which is recorded as the authorization identity. The server then issues a string which SHOULD be "Password:" in challenge, and receives a client response. This response is recorded as the authorization authenticator. The server must verify that the authorization authenticator permits login as the authorization identity. 3. Security layer There are no security layers in the LOGIN mechanism.