On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote: > > Timo's mail made me think of a different approach: Immediately expire a > password if a server receives that password in clear text. Bang bang. (Let me > guess: The words "support spike" entered your mind now.)
:-) One advantage of POP's separate USER and PASS commands relative to IMAP's unified LOGIN command or SASL PLAIN is that the server can reject the USER command on unencrypted connections and with any luck the client will give up without blurting out the password. At least in theory :-) In practice I'm not too worried about idiot client software revealing passwords because it'll only happen during the user's first attempts at configuration, so the exposure is pretty small. I might revise that opinion if a college decides to go all-wireless for network access in student bedrooms, and if against all past experience students start using MUAs en masse instead of webmail... Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. _______________________________________________ yam mailing list [email protected] https://www.ietf.org/mailman/listinfo/yam
