[RCU] Strip arbitrary characters from login

Robert Blayzor rblayzor.bulk at inoc.net
Tue Jan 6 17:43:34 CET 2015


On Jan 6, 2015, at 11:38 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> 
> this is nonsense for several reasons:
> 
> * both of our email contain a dot in the local part
> * in case of dictionary attacks you make them
>  easier with "result in the same user"
> * any "arbitrary" char in the username makes a failed login more likely
> * if you consider a attack to the dovecot backend you can be sure that
>  dovecot has less secure holes as your whole httpd/php/rc-stack


Thanks for your opinion.  Gmail does this very "nonsense"...

--
Robert
inoc.net!rblayzor
http://inoc.net/





More information about the users mailing list