Hi Jerome Bullert, you wrote. JB> We can tell ourselves that the chance of "[EMAIL PROTECTED]" JB> successfully entering the password of "[EMAIL PROTECTED]" is remote, JB> but it's probably not as remote as we'd like to think. In this scenario, JB> since we know that both "right-domain.com" and "wrong-domain.com" are JB> serviced by the same mail system: JB> -Odds that they service the same geographical area (or business type, or JB> personal interest, etc) = High JB> -Odds that these users live in/are connected to the same area ( or JB> business type, or personal interest, etc.) = High
JB> As a result, the odds that these users could have the same password = JB> Increased exponentially JB> -Whether it's the local high school, college, or pro football team, JB> their favorite stock symbol, favorite porn star, etc. JB> (We all know how the average user excels at selecting secure passwords.) JB> Result = a lower level of security Can't you just deactivate support for "user" altogether and require [EMAIL PROTECTED] for EVERYONE? That should take care of accidental account "cracking"/locking, no? Regards, Gabriel ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
