In simple words, the database client and the server prove and convince each other that they know the password without exchanging the password or the password hash. Yes, it is possible by doing a Salted Challenge and Responses, SCRAM-SHA-256, as specified by RFC 7677. This way of storing, communicating, and verifying passwords makes it very hard to break a password.
Interesting!
Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP),
less secure sign-in technology
What does that mean exactly?
All of a sudden my Rails app's attempts to send via SMTP started getting rejected until I enabled "Less secure app access". It would be nice if I knew what was necessary to make the access considered "secure".
Update: Newer information added to this article (as well as elsewhere) leads me to believe that it is specifically sending password directly as authentication mechanism which was/is no longer permitted.
This is the note that has since been added on this page, which clarifies this point:
To help keep your account secure, from May 30, 2022, Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.
To help keep your account secure, from May 30, 2022, Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.
To keep your account more secure, Gmail no longer supports third-party apps or devices which require you to share your Google username and password. Sharing your account credentials with third-parties makes it easier for hackers to gain access to your account.