Adam McKenna wrote:
>
> On Sun, Jul 02, 2000 at 04:52:25PM -0700, Tom Fishwick wrote:
> > Adam McKenna wrote:
> > >
> > > On Sun, Jul 02, 2000 at 11:47:20PM +0200, Peter van Dijk wrote:
> > > > On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> > > > > What exactly is APOP?
> > > >
> > > > APOP is an authentication mechanism for POP, in which passwords are not
> > > > transmitted cleartext but *do* need to be in a cleartext-list on the
> > > > server.
> > >
> > > Which is the reason I'll never use it.
> >
> > The way I understand it is that apop uses more of a secret and not a password. I
>just finished
> > putting in apop support for a pop server I wrote for a webmail system. Users
>don't use their normal
> > password, but instead have the server generate a random secret that is about 50
>characters long,
> > then they cut/paste that secret into their MUA. Also, according to rfc1939 a
>pop3 account
> > shouldn't allow both user/pass and apop for a given user.
>
> First of all, I really didn't need 4 copies of that e-mail.
sorry bout that
>
> What I said was that I'll never use APOP because it requires the passwords to
> be stored in cleartext on the server. Which part of that are you disagreeing
> with?
I'm not disagreeing with anything. Just wanted to point out that the password that's
being stored
on the server for apop is not (well, shouldn't be) the same password you would use for
user/pass
auth. Sure it's not totally secure, but I think it protects well enough against the
average user
that checks for new mail every 5 min.
>
> --Adam
