Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet frames. It is widely used by commercial Internet service providers to provide Internet surfing for customers who pay bills. In this paper, we analyze the security of PPPoE network. We find that we can easily collect information about both the peers and the PPPoE authentication servers. We can use such information to recover the peer's authentication password by silently impersonating the server, which is undetectable in the network. We impersonate the server in the peers' LAN and get their passwords by hijacking the peers' PPPoE connections and negotiating for using the Password Authentication Protocol (PAP). We further propose an efficient password recovery attack against the Challenge-Handshake Authentication Protocol (CHAP). We first recover the length of the used password through on-line queries, based on the weakness of MD5 input pre-processing. Then, we crack the known-length password off-line, using the probabilistic context-free grammars. We point out that PPPoE cannot be used anymore until all of the weak authentication protocols including PAP, CHAP, and Microsoft CHAP are abolished right now and replaced with more secure Extensible Authentication Protocols. Copyright © 2012 John Wiley & Sons, Ltd.