Re: Some security-related suggestions

Michael D'Errico <Mike@software.com> Wed, 08 June 1994 22:04 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa07876; 8 Jun 94 18:04 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa07872; 8 Jun 94 18:04 EDT
Received: from PO2.ANDREW.CMU.EDU by CNRI.Reston.VA.US id aa15994; 8 Jun 94 18:04 EDT
Received: (from postman@localhost) by po2.andrew.cmu.edu (8.6.7/8.6.6) id SAA22880; Wed, 8 Jun 1994 18:01:18 -0400
Received: via switchmail for ietf-pop3+@andrew.cmu.edu; Wed, 8 Jun 1994 18:01:16 -0400 (EDT)
Received: from po3.andrew.cmu.edu via qmail ID </afs/andrew.cmu.edu/service/mailqs/q003/QF.YhxXxQy00UdbAHZk4U>; Wed, 8 Jun 1994 18:00:00 -0400 (EDT)
Received: from rome.software.com (rome.software.com [198.17.234.2]) by po3.andrew.cmu.edu (8.6.7/8.6.6) with ESMTP id RAA05010 for <ietf-pop3+@andrew.cmu.edu>; Wed, 8 Jun 1994 17:59:50 -0400
Received: from rome (rome.software.com [127.0.0.1]) by rome.software.com with ESMTP id AAA8960 for <ietf-pop3+@andrew.cmu.edu>; Wed, 8 Jun 1994 14:59:47 -0700
To: POP3 IETF Mailing List <ietf-pop3+@andrew.cmu.edu>
Subject: Re: Some security-related suggestions
Date: Wed, 08 Jun 1994 14:59:46 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Michael D'Errico <Mike@software.com>
Message-ID: <19940608225946.AAA8960@rome.software.com>

John Gardiner Myers <jgm+@CMU.EDU> writes:
>Ned Freed <NED@SIGURD.INNOSOFT.COM> writes:
>>    "Providing an indication of the existence of an account in the absence of
>>    a proper password lets attackers narrow the search to known accounts, and
>>    thus represents an increased security risk." 
>
>There are people who still believe this?  Attackers can narrow the
>search to known accounts by examining the local-parts of addresses in
>messages sent from the site.

Actually with my POP server, you can have a USER login name that is not
related to any of your addresses/aliases.  All of my mail goes out as
"mike" but I can set up a POP account for me as "2Yhd%0_" if I want....

Michael D'Errico
mike@software.com