When such software requires authentication over unencrypted connections, CRAM-MD5 is preferred over mechanisms that transmit passwords "in the clear," such as LOGIN and PLAIN.
However, it can't prevent derivation of a password through a brute-force attack, so it is less effective than alternative mechanisms that avoid passwords or that use connections encrypted with Transport Layer Security (TLS).
The CRAM-MD5 protocol involves a single challenge and response cycle, and is initiated by the server: The one-way hash and the fresh random challenge provide three types of security: CRAM-MD5 is defined by the IETF standards-track document RFC 2195, which supersedes RFC 2095, from earlier in 1997.
These de facto standards define CRAM-MD5 as an authentication method for the email mailbox-management protocols POP and IMAP.
The Internet Assigned Numbers Authority (IANA) maintains a registry of SASL mechanisms,[3] including CRAM-MD5, for limited use.