Several SASL mechanisms provide for authentication using passwords.
Their security properties are different.
Threats
The user's password is at risk of compromise whenever it is used. Exposing it outside the client application increases this risk.
Some SASL mechanisms require that the LDAP server has access to a stored copy of the user's password. In such systems, an attacker who copies the database or backup tapes can easily impersonate every user of the system: this is a very serious risk.
Controls
Avoid mechanisms such as DIGEST-MD5 that require the server to store the plain-text password.
Avoid SASL PLAIN: it is no better than simple bind.
Use SASL SCRAM RFC 5802 where possible as it does not require the server to store (or ever see) the user's plain-text password. Establish a TLS session before authenticating. Read the Security Considerations section in RFC5802 to understand the remaining risks.
Application
Apply this control whenever password-based authentication is required.
-- AndrewFindlay - 07 Oct 2011