On Aug 5, 2016, at 12:12 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > The response time will be same anyways. > > Anyways. It is better to enforce this kind of thing when users define the > password than during login.
The idea would be to mitigate unnecessary database dips for password that don’t clearly pass said password policy. Sure you can enforce what passwords users use; but you can’t enforce what is being attempted to authenticate. A lot of “bots” try very simple passwords say less than X characters; over and over and over again before they give up. I realize Dovecot mitigates this by slowing them down; but always nice to have another optional layer of defense to clip this kind of garbage closer to the door. At the very least have a reject empty password option. -- Robert inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu
