> A lot of “bots” try very simple passwords say less than X
> characters; over and over and over again before they give up.
>
> I realize Dovecot mitigates this by slowing them down; but always nice to
> have another optional layer of defense to clip this kind of garbage closer
> to the door.
Robert Blayzor writes:
Is there a way to configure Dovecot to perhaps filter/enforce which
passwords are accepted before authenticating? Ie: Reject immediately
(without a database lookup) if password is not X characters in length?
Yes, use the checkpassword hook.
> On August 5, 2016 at 9:10 PM Robert Blayzor wrote:
>
>
> On Aug 5, 2016, at 12:12 PM, Aki Tuomi wrote:
> >
> > The response time will be same anyways.
> >
> > Anyways. It is better to enforce this kind of thing when users define the
> >
On Aug 5, 2016, at 12:12 PM, Aki Tuomi wrote:
>
> The response time will be same anyways.
>
> Anyways. It is better to enforce this kind of thing when users define the
> password than during login.
The idea would be to mitigate unnecessary database dips for password
> On August 5, 2016 at 6:47 PM "Michael A. Peters"
> wrote:
>
>
> On 08/05/2016 08:41 AM, Robert Blayzor wrote:
> > Is there a way to configure Dovecot to perhaps filter/enforce which
> > passwords are accepted before authenticating?
> >
> > Ie: Reject immediately
On 08/05/2016 08:41 AM, Robert Blayzor wrote:
Is there a way to configure Dovecot to perhaps filter/enforce which passwords
are accepted before authenticating?
Ie: Reject immediately (without a database lookup) if password is not X
characters in length?
?
Not sure what the benefit would