Here is the specification for LOGIN:

LOGIN mechanism

   The mechanism name associated with the LOGIN mechanism is "LOGIN".
   The authorization identity is the same string as the "user name" in
   the traditional (non-SASL) LOGIN or USER commands; the authorization
   authenticator is the same string as the traditional "password".

1. Client side of authentication protocol exchange

   The client expects the server to issue a challenge.  The client then
   responds with the authorization identity.  The client then expects
   the server to issue a second challenge.  The client then responds
   with the authorization authenticator.  The contents of both challenges
   are ignored.

   This completes the client-side LOGIN authentication.

2. Server side of authentication protocol exchange

   The server issues a string which SHOULD be "User Name" in challenge,
   and receives a client response.  This response is recorded as the
   authorization identity.  The server then issues a string which SHOULD
   be "Password" in challenge, and receives a client response.  This
   response is recorded as the authorization authenticator.  The server
   must verify that the authorization authenticator permits login as the
   authorization identity.

3. Security layer

   There are no security layers in the LOGIN mechanism.