Re: Some security-related suggestions

Michael D'Errico <> Fri, 10 June 1994 13:47 UTC

Received: from by IETF.CNRI.Reston.VA.US id aa02298; 10 Jun 94 9:47 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id ar02171; 10 Jun 94 9:47 EDT
Received: from PO5.ANDREW.CMU.EDU by CNRI.Reston.VA.US id aa01399; 10 Jun 94 3:53 EDT
Received: (from postman@localhost) by (8.6.7/8.6.6) id DAA17075; Fri, 10 Jun 1994 03:47:31 -0400
Received: via switchmail for; Fri, 10 Jun 1994 03:47:30 -0400 (EDT)
Received: from via qmail ID </afs/>; Fri, 10 Jun 1994 03:39:59 -0400 (EDT)
Received: from ( []) by (8.6.7/8.6.6) with ESMTP id DAA17800 for <>; Fri, 10 Jun 1994 03:39:53 -0400
Received: from rome ( []) by with ESMTP id AAA634 for <>; Fri, 10 Jun 1994 00:34:29 -0700
To: POP3 IETF Mailing List <>
Subject: Re: Some security-related suggestions
Date: Fri, 10 Jun 1994 00:34:28 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Michael D'Errico <>
Message-ID: <>

> (Michael D'Errico) writes:
>> All of my mail goes out as "mike" but I can set up a POP account for
>> me as "2Yhd%0_" if I want....
>Or you could alternately leave your account as "mike" and require your
>password to start with "2Yhd%0_", with no increase in security risk.
>Two reusable passwords are no better than one twice as long.

Well the reason for this is that users generally pick easily guessable
passwords, so if you pick an obscure user name for them, you have in-
creased the security of their account.  Of course there is no security
if people can sniff your local network though.

>If people want text like that given by Steve Dorner in the Security
>Considerations section, fine.  I do, however, object to prohibiting
>servers from issuing useful error messages on the USER command.

My only intention in posting the original message was to have a section
on Security Considerations that said anything other than "Security
issues are not discussed in this memo."  The text proposed by Steve,
along with that in mrose-again (about APOP), does exactly that.

Michael D'Errico