Dovecot password policy
Robert Blayzor
rblayzor.bulk at inoc.net
Fri Aug 5 18:10:33 UTC 2016
On Aug 5, 2016, at 12:12 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
> The response time will be same anyways.
>
> Anyways. It is better to enforce this kind of thing when users define the password than during login.
The idea would be to mitigate unnecessary database dips for password that don’t clearly pass said password policy. Sure you can enforce what passwords users use; but you can’t enforce what is being attempted to authenticate. A lot of “bots” try very simple passwords say less than X characters; over and over and over again before they give up.
I realize Dovecot mitigates this by slowing them down; but always nice to have another optional layer of defense to clip this kind of garbage closer to the door.
At the very least have a reject empty password option.
--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu
More information about the dovecot
mailing list