Alessandro Vesely wrote:
Even without 2FA, a password different from "12345" is probably desperately hard to guess. An activity suited for bots running at someone else's expenses.
Enabling Dovecot auth_verbose and mail_debug will show credential failures and in most cases you're right, they are nothing to worry about, especially with fail2ban monitoring repeat offenders. OTOH it also seems that few sites do anything to test password strength once it is set. Perhaps more interesting is the fact that the vast majority of ESPs don't even think about obfuscating _usernames_. Are there good reasons to use a well known string like the email address for half of a credential? While not the default it doesn't take much additional configuration to allow users to define their own MUA username which doesn't (and IMO shouldn't) have anything in common with their email address/es. Roger Marquis _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop