Dovecot password policy
Aki Tuomi
aki.tuomi at dovecot.fi
Fri Aug 5 18:16:30 UTC 2016
> On August 5, 2016 at 9:10 PM Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
>
>
> On Aug 5, 2016, at 12:12 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >
> > The response time will be same anyways.
> >
> > Anyways. It is better to enforce this kind of thing when users define the password than during login.
>
>
> The idea would be to mitigate unnecessary database dips for password that don’t clearly pass said password policy. Sure you can enforce what passwords users use; but you can’t enforce what is being attempted to authenticate. A lot of “bots” try very simple passwords say less than X characters; over and over and over again before they give up.
>
> I realize Dovecot mitigates this by slowing them down; but always nice to have another optional layer of defense to clip this kind of garbage closer to the door.
>
> At the very least have a reject empty password option.
>
> --
> Robert
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP Key: 78BEDCE1 @ pgp.mit.edu
I would like to mention the new auth policy server support. It works with weakforced.
See http://wiki2.dovecot.org/Authentication/Policy
And
https://github.com/PowerDNS/weakforced
Correct usage should help you more than your plan, I promise.
Aki
More information about the dovecot
mailing list