Great Circle Associates Firewalls
(March 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: POP3 Security
From: Ian Miller <firewalls @ scientia . com>
Date: Mon, 03 Mar 1997 14:42:25 +0000
To: firewalls @ greatcircle . com 
At 13:57 03/03/97 +0200, you wrote:
>Anyone have any thoughts on this?
>
If you are using username/password POP3 logins, you have very weak security
in any case as anyone logging in from a remote provider may be eavesdropped
on that remote provider compromising the password.  If you are allowing
remote logins, then I would insist on APOP (qpopper 2.0 supports this).
This challenge/response based on a shared secret.  (See RFC1725).  However
if a challenge/response pair is intercepted an attacker can mount a very
fast off-line brute attack. (It is possible to try many thousands of
passwords per second on single PC).  Accordingly no normal human chosen
password is adequate.  The RFC states ".. shared secrets should be long
strings (considerably longer than the 8-character example shown below.".  I
recommend system administrator allocated wholly random passwords of adequate
length.

Ian
Follow-Ups:
Indexed By Date Previous: Try it, it works!
From: Koray Tuna <bbm512 @ eti . cc . hun . edu . tr>
Next: Re: an epiphany
From: "Feeney, Tim" <Tim . Feeney @ FMR . COM>
Indexed By Thread Previous: POP3 Security
From: Michael Ferioli <Michael . Ferioli @ Comnet . Com . Tr>
Next: Re: POP3 Security
From: Bernd Eckenfels <lists @ lina . inka . de>
Google
 
Search Internet Search www.greatcircle.com