> On August 5, 2016 at 9:10 PM Robert Blayzor <rblayzor.b...@inoc.net> wrote: > > > On Aug 5, 2016, at 12:12 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > > The response time will be same anyways. > > > > Anyways. It is better to enforce this kind of thing when users define the > > password than during login. > > > The idea would be to mitigate unnecessary database dips for password that > don’t clearly pass said password policy. Sure you can enforce what passwords > users use; but you can’t enforce what is being attempted to authenticate. A > lot of “bots” try very simple passwords say less than X characters; over and > over and over again before they give up. > > I realize Dovecot mitigates this by slowing them down; but always nice to > have another optional layer of defense to clip this kind of garbage closer to > the door. > > At the very least have a reject empty password option. > > -- > Robert > inoc.net!rblayzor > XMPP: rblayzor.AT.inoc.net > PGP Key: 78BEDCE1 @ pgp.mit.edu
I would like to mention the new auth policy server support. It works with weakforced. See http://wiki2.dovecot.org/Authentication/Policy And https://github.com/PowerDNS/weakforced Correct usage should help you more than your plan, I promise. Aki