APOP: What You Need to Know About the Email Term

Crypto. ©blondinrikard; CC BY 2.0 license

APOP (acronym of "Authenticated Post Office Protocol") is an extension of the Post Office Protocol (POP) defined in RFC 1939 with which the password is sent in encrypted form.

Also Known As: Authenticated Post Office Protocol

How Does APOP Compare to POP?

With standard POP, usernames and passwords are sent in plain text over the network and can be intercepted by a malicious third party. APOP uses a shared secret—the password—that is never exchanged directly but only in an encrypted form derived from a string unique to every log-in process.

How Does APOP Work?

That unique string is usually a timestamp sent by the server when the user's email program connects. Both the server and the email program then compute a hashed version of the time stamp plus the password, the email program sends its result to the server, which authenticates the log-in of the hash matches its result.

How Secure Is APOP?

While APOP is more secure than plain POP authentication, it suffers from a number of ills that render its use problematic:

  • Both the email server and the email program need to use (and, perhaps, store) the email account password in plain text; this offers a potentially direct route to retrieving the password.
  • The algorithm to compute the encrypted form of the password, MD5, is dated and no longer considered secure. For APOP, that does not mean it is currently easily possible to crack passwords just from their encrypted form, but it still warrants caution.
  • it is problematic that the password is sent repeatedly, albeit in encrypted form; that allows for more room to attack.

Should I Use APOP?

No, avoid APOP authentication when possible.

Safer methods to sign in to a POP email account do exist. Use these instead:

  • TLS/SSL: all traffic between the email program and the server is encrypted; that includes any username and password as well as emails themselves.
  • AUTH CRAM-MD5: similar to APOP, the POP AUTH common using CRAM-MD5 authentication can be more secure as the password is not stored in the process; TLS/SSL is superior.

If you have the choice only between plain POP authentication and APOP, use APOP for a more secure log-in process.

APOP Example

Server: +OK POP3 server at your command <6734.1433969411@pop.example.com>
Client: APOP user 2014ee2adf2de85f5184a941a50918e3
Server: +OK user has 3 messages (853 octets)