CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.2  Email            9  2.2.3  Vulnerabilities

Message Forgery 1 Client-Side Issues

Another issue with email-related communication is password security. Many implementations of the POP3 and IMAP4 mail-retrieval protocols still require users to send their user name and password to the mail server in clear text (that is, not encoded, and in a form that can be easily observed by someone monitoring network traffic). Clear text passwords are a bad thing, particularly because they often allow access to resources beyond a POP3 server – like an ISP’s network, a UNIX host, a Windows user account, etc.

Microsoft’s answer to this was to create a “Secure Password Authentication” mechanism for POP3 connections to Exchange, which is best described as a version of the NT authentication process with a few enhancements. While it avoids clear text passwords, this “solution” seems to cause other security issues, at least when the Outlook Express client is used for an SPA connection.¹⁷⁵. One way to get around the issue of sending your password in clear text is to forgo using a POP3 or IMAP4 client and instead use your ISP or email provider’s “web mail” connection to send and receive mail via SSL.

Message Forgery 1 Client-Side Issues