Here is the specification for LOGIN:

LOGIN mechanism

   The mechanism name associated with the LOGIN mechanism is "LOGIN".
   The authorization identity is the same string as the "user name" in
   the traditional (non-SASL) LOGIN or USER commands; the authorization
   authenticator is the same string as the traditional "password".

1. Client side of authentication protocol exchange

   If the protocol permits an initial response as an optional
   parameter to the authentication command, the client MAY provide the
   authorization identity as that parameter.  Otherwise, the client
   expects the server to issue a challenge and responds with the
   authorization identity.

   The client then expects the server to issue a challenge and
   responds with the authorization authenticator.  The contents of
   any challenges SHOULD be ignored.

   This completes the client-side LOGIN authentication.

2. Server side of authentication protocol exchange

   If the protocol permits an initial response as an optional parameter
   to the authentication command and that parameter is supplied, this
   response is recorded as the authorization identity.  Otherwise, the
   server issues a string which SHOULD be "Username:" in challenge,
   and receives a client response which is recorded as the
   authorization identity.

   The server then issues a string which SHOULD be "Password:" in
   challenge, and receives a client response.  This response is
   recorded as the authorization authenticator.  The server must
   verify that the authorization authenticator permits login as the
   authorization identity.

3. Security layer

   There are no security layers in the LOGIN mechanism.