At 13:57 03/03/97 +0200, you wrote:
>Anyone have any thoughts on this?
If you are using username/password POP3 logins, you have very weak security
in any case as anyone logging in from a remote provider may be eavesdropped
on that remote provider compromising the password. If you are allowing
remote logins, then I would insist on APOP (qpopper 2.0 supports this).
This challenge/response based on a shared secret. (See RFC1725). However
if a challenge/response pair is intercepted an attacker can mount a very
fast off-line brute attack. (It is possible to try many thousands of
passwords per second on single PC). Accordingly no normal human chosen
password is adequate. The RFC states ".. shared secrets should be long
strings (considerably longer than the 8-character example shown below.". I
recommend system administrator allocated wholly random passwords of adequate