Authentication via POP3

Authenticating users through a third party POP3 server (Python sample code provided) is a really interesting idea, but one that I don’t think could ever be used in the wild. Firstly, I haven’t the slightest idea what my POP3 password is as I tend to save it in my mail application and forget about it. Secondly (and more importantly) is trust: how many web sites do I trust enough to give them my email password whenever I log in?

That said, the author of the code snippet lists these and other weaknesses and seems to be suggesting that it would be best used in an intranet style environment, where it would allow web applications to authenticate using the company mail server thus avoiding administrators having to maintain multiple databases of user accounts.

Posted 10th June 2003 at 3:50 pm

3 comments

My provider's webmail uses LDAP authentication internally for webmail and other clients-only applications.
nobody - 10th June 2003 23:41 - #
Personally I think that sucks, big stylee :) That's why Sun et al (I only know of Suns involvement, don't flame me... please) created NIS, and subsequently moved over to LDAP. I think the weaknesses FAR outweigh the strengths.
Swannie - 11th June 2003 02:01 - #
I use PO3-authentication from python if I need to authenticate against local unix accounts. Due to shadow passwords you can't easily check the password (and due to crypt and md5 hash options, you actually don't want to hardcode passwd/shadow access to your python program). So I use a running POP3 server to authenticate against. This allows using everything that the POP3 server supports. It's often enough to couple authentication and reduce to one password.
Georg Bauer - 11th June 2003 15:02 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/06/10/pop3Authentication

Simon Willison’s Weblog

Authentication via POP3

3 comments