Our InterWorx boxes have “Strong” passwords configured as a requirement. However, many of our users continued to make obviously weak passwords (pin numbers, dictionary words, etc). And of course many of those mailboxes get hacked.
Tonight I noticed that RoundCube, and I suspect the other webmail clients provided by InterWorx, will permit any strength passwords. For example, I just set my own password to “1” and then proved it took by changing my password back but only after providing “1” as my current password. Almost none of our customers actually use the control panel to set their own email password, so we’ve been really operating under a false sense of password security all this time. :-/