PAP uses a two-step handshake. First, the client passes the username and password to the server, then the server sends an "accept" or "reject" back to the client.

After a PPP link is established between client and server, PAP passes an unencrypted username and password across the link.

A hacker could capture this information and use it to access the network.