Re: APOP and qpopper2.4, how safe?

[Dave Roberts <dave.roberts () saaconsultants com>]

On Wed, 10 Dec 1997 daemond () ibm net wrote:

> APOP uses an encrypted password, but does this change from session to
> session?  If not then APOP is not really much more secure than regular POP

Yes, it does change for each session.  A better phrase is hashed password,
as opposed to encrypted password.  When the client connects to the server,
the server offers a string in the greeting line, looks something like:-

+OK QPOP (version 2.41beta1) at pop3.saaconsultants.com starting. <2205.881746763 () pop3 saaconsultants com>

The bit in angle brackets changes, and is a combination of time & PID, I
think.  This string is MD5'd with the users password, and that hash is
sent down the line.

Now, if a bad person is monitoring the line, they will see the greeting
line anyway, and therefore this gives limited protection as that person
can feed the 'seed' into their brute force cracker, but it does protect
against casual sniffers, and replay attacks. 

> shell or ftp access using that persons account (provided that no one figures
> out how to decrypt an encrypted APOP password).  

Source code and documentation are available, if you have the spare CPU
cycles, I'm sure it can be done eventually.  Yet another good reason for
changing passwords regularly.

--
Dave Roberts         For PGP Key - send mail with subject of 'get pgp':-
Firewall Chappie     =51 4B 6A 35 3F C4 B6 3D  13 88 0C B2 48 61 51 1C=
SAA Consultants Ltd  Std disclaimer applies, it's nothing to do with them