[RCU] Strip arbitrary characters from login
rblayzor.bulk at inoc.net
Tue Jan 6 17:43:34 CET 2015
On Jan 6, 2015, at 11:38 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> this is nonsense for several reasons:
> * both of our email contain a dot in the local part
> * in case of dictionary attacks you make them
> easier with "result in the same user"
> * any "arbitrary" char in the username makes a failed login more likely
> * if you consider a attack to the dovecot backend you can be sure that
> dovecot has less secure holes as your whole httpd/php/rc-stack
Thanks for your opinion. Gmail does this very "nonsense"...
More information about the users