diff -urN tpop3d-1.4.2.orig/cfgdirectives.c tpop3d-1.4.2/cfgdirectives.c
--- tpop3d-1.4.2.orig/cfgdirectives.c	2002-06-08 15:41:38.000000000 -0400
+++ tpop3d-1.4.2/cfgdirectives.c	2003-04-28 17:38:02.000000000 -0400
@@ -27,6 +27,7 @@
     "timeout-seconds",
     "log-facility",
     "log-stderr",
+    "log-auth-badpass",
     "apop-only",
     "mailbox",
     "no-detach",
Binary files tpop3d-1.4.2.orig/cfgdirectives.o and tpop3d-1.4.2/cfgdirectives.o differ
diff -urN tpop3d-1.4.2.orig/main.c tpop3d-1.4.2/main.c
--- tpop3d-1.4.2.orig/main.c	2002-06-25 16:28:00.000000000 -0400
+++ tpop3d-1.4.2/main.c	2003-04-28 17:33:20.000000000 -0400
@@ -60,6 +60,7 @@
 extern int append_domain;           /* Do we automatically try address@hidden if user alone fails to authenticate? In pop3.c. */
 extern int strip_domain;            /* Do we automatically try user if address@hidden fails to authenticate? */
 extern int apop_only;               /* Quit after receiving USER. */
+extern int log_auth_badpass;        /* Log the password of the failed auth attempt? */
 int log_stderr;                     /* Are log messages also sent to standard error? */
 int verbose;                        /* Should we be verbose about data going to/from the client? */
 int timeout_seconds = 30;           /* How long a period of inactivity may elapse before a client is dropped. */
@@ -720,6 +721,10 @@
     if (config_get_bool("apop-only"))
         apop_only = 1;
 
+    /* Log the password of the failed auth attempt? */
+    if (config_get_bool("log-auth-badpass"))
+        log_auth_badpass = 1;
+
     /* Find out how long we wait before timing out.... */
     switch (config_get_int("timeout-seconds", &timeout_seconds)) {
         case -1:
diff -urN tpop3d-1.4.2.orig/pop3.c tpop3d-1.4.2/pop3.c
--- tpop3d-1.4.2.orig/pop3.c	2002-06-25 16:28:00.000000000 -0400
+++ tpop3d-1.4.2/pop3.c	2003-04-28 17:20:10.000000000 -0400
@@ -35,6 +35,7 @@
 int append_domain;  /* Do we automatically try address@hidden if user alone fails to authenticate? */
 int strip_domain;   /* Automatically try user if address@hidden fails? */
 int apop_only;      /* Disconnect any client which says USER. */
+int log_auth_badpass; /* Log the password of the failed auth attempt? */
 
 enum connection_action connection_do(connection c, const pop3command p) {
     /* This breaks the RFC, but is sensible. */
@@ -251,7 +252,11 @@
 #else
                     connection_sendresponse(c, 0, _("Authentication failed."));
 #endif
-                    log_print(LOG_ERR, _("connection_do: client `%s': username `%s': %d authentication failures"), c->idstr, c->user, c->n_auth_tries);
+                    if (log_auth_badpass) {
+                        log_print(LOG_ERR, _("connection_do: client `%s': username `%s': password `%s': %d authentication failures"), c->idstr, c->user, c->pass, c->n_auth_tries);
+                    } else {
+                        log_print(LOG_ERR, _("connection_do: client `%s': username `%s': %d authentication failures"), c->idstr, c->user, c->n_auth_tries);
+                    }
                     act = do_nothing;
                 }