[RCU] Strip arbitrary characters from login

Robert Blayzor rblayzor.bulk at inoc.net
Tue Jan 6 17:43:34 CET 2015

On Jan 6, 2015, at 11:38 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> this is nonsense for several reasons:
> * both of our email contain a dot in the local part
> * in case of dictionary attacks you make them
>  easier with "result in the same user"
> * any "arbitrary" char in the username makes a failed login more likely
> * if you consider a attack to the dovecot backend you can be sure that
>  dovecot has less secure holes as your whole httpd/php/rc-stack

Thanks for your opinion.  Gmail does this very "nonsense"...


More information about the users mailing list