On 2018-09-07 15:09, Jay Hennigan wrote:
On 9/7/18 12:32 PM, Michael Peddemors wrote:
* Do you enforce 'tough' passwords?
Most formula-based "tough" passwords are only "tough" for the legitimate
user, not an attacker.
Consider that with email protocols, this doesn't necessarily apply.
While users may need to see/use/remember their webmail password, for
IMAP/SMTP you can assign strong passwords instead of allowing users to
set their own. Users may grumble a little at first, but the pain is
short-lived and you are suddenly immune to password reuse, weak
passwords and other types of attacks.
In my experience attacks against webmail are quite uncommon, and also
can be mitigated with more flexible techniques than the SMTP protocol
offers.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
