We recently had an issue one of our QA guys found and we tracked it down to the use of ILIKE (postgres) in find_with_case.
What happens is that we had two accounts:
and they had the same password.
When the user logged in with server_b, he sometimes got the server.b account.
This is because the lookup is using LIKE and the '_' is a single character wildcard.
It gets even worse. Given an account, say 'barnaby', if I know the password of an account but only the partial name, I could login with:
'bar%' and the pwd ('%' is the multichar wildcard).
This would make it easier for a user to try lots of passwords and wildcard users.
We solved this by making case sensitivity true (in acts_ass_authentic), but the default is false, I believe.
In any case, seems like a hole that needs patching.
Let me know if you need further information.
This was closed up in the referenced PR.