From f1f3d4c6e724c2f4c1056dd43460766f7c483965 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Thu, 14 May 2015 10:41:07 -0400
Subject: update re passwordauth @

---
 doc/todo/emailauth.mdwn | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/todo/emailauth.mdwn b/doc/todo/emailauth.mdwn
index aac2c988e..88096bee1 100644
--- a/doc/todo/emailauth.mdwn
+++ b/doc/todo/emailauth.mdwn
@@ -62,7 +62,7 @@ Implementation notes:
   Otherwise, someone could use passwordauth to register as a username that
   looks like an email address, which would be confusing to possibly a
   security hole. Probably best to keep passwordauth and emailauth accounts
-  entirely distinct.
+  entirely distinct. Update: passwordauth never allowed `@` in usernames.
 * Currently, subscription to comments w/o registering is handled by
   passwordauth, by creating a passwordless account (making up a username,
   not using the email address as the username thankfully). That account can be
-- 
cgit v1.2.3