This project is not covered by Drupal’s security advisory policy.


This module is no longer recommended for use on any Drupal site! Please consider either using SSL, or OpenID for a more secure login mechanism. If you are dead set on using CRAM, please read the following very carefully:

CRAM is a Drupal module that implements the Challenge-Response Authentication Mechanism as a replacement for the default login process. This allows for users to log into a non-SSL site somewhat securely. An algorithm called CRAM-MD5 ( is used to ensure that the user's password is never sent over the wire.

HOWEVER, this does NOT mean that your login session is secure. It is still very possible for someone to steal your session ID, giving them complete access to your account. There are various other attacks that can be employed against CRAM as well. Please be absolutely sure you understand this before installing.

CRAM requires Paj's excellent javascript MD5 library, available at (a link to the latest MD5.js is included in the README.txt).

Code can be checked out from the CVS repository.

Project information

  • caution Obsolete
    Use of this project is deprecated.
  • chart icon715 downloads
  • shield alertThis project is not covered by the security advisory policy.
    Use at your own risk! It may have publicly disclosed vulnerabilities.