I noticed that if your password is longer than 8 characters in length, roundcube ignores the full password and allows you to log in by entering an incomplete password.
An example...
Lets say I have the following email addres: emailme@thisemailaddress.com and the password for this account is: 12345678987654321
I can login by entering emailme@thisemailaddress.com in the username field and 12345678 in the password field. The rest of the password is either ignored or not required at all?
This is present on 0.9.0 and 1.2.0