It is conjectured that use of the APOP command provides origin identification and replay protection for a POP3 session. Accordingly, a POP3 server which implements both the PASS and APOP commands must not allow both methods of access for a given user; that is, for a given "USER name" either the PASS or APOP command is allowed, but not both.
Further, note that as the length of the shared secret increases, so does the difficulty of deriving it.
Servers that answer -ERR to the USER command are giving potential attackers clues about which names are valid
Use of the PASS command sends passwords in the clear over the network.
Use of the RETR and TOP commands sends mail in the clear over the network.
Otherwise, security issues are not discussed in this memo.