Everything You Need to Know About APOP

APOP was designed for email security, but other methods work better now

Cryptic mural

blondinrikard/CC BY 2.0/Flickr

Authenticated Post Office Protocol (APOP) is an extension of the Post Office Protocol (POP). With APOP, the password is sent in encrypted form.

How Does APOP Compare to POP?

With POP, usernames and passwords are sent in plain text over the network and can be intercepted by a malicious third party. APOP uses a password that's never exchanged directly. The password is in an encrypted form that is derived from a string and this string is unique to every login process.

How Does APOP Work?

The unique string is a timestamp sent by the server when the user's email program connects. Both the server and the email program then compute a hashed version of the timestamp plus the password. The email program sends its result to the server, which authenticates the login if the hash matches its result.

How Secure Is APOP?

While APOP is more secure than plain POP authentication, it also features some drawbacks:

  • Both the email server and the email client need to use (and, perhaps, store) the email account password in plain text. This process offers a potential direct route to retrieve the password.
  • The algorithm to compute the encrypted form of the password, MD5, is dated and no longer considered secure. For APOP, this fact doesn't mean it's easy to crack passwords from their encrypted form, but it still warrants caution.
  • The password is sent repeatedly, albeit in encrypted form, allowing for more room to attack.

Should I Use APOP?

Avoid APOP authentication when possible, and use the following safer methods to sign in to a POP email account:

  • TLS/SSL: All traffic between the email program and the server is encrypted, including the username, password, and emails.
  • AUTH CRAM-MD5: Similar to APOP, the POP AUTH command using CRAM-MD5 authentication can be more secure, as the password isn't stored in the process. However, TLS/SSL is superior.

If you only have a choice between plain POP authentication and APOP, use APOP for a more secure login process.