Hi everyone, Was just perusing this article about how trivial it is to decrypt passwords that are stored using most (standard) encryption methods (like MD5), and was wondering - is it possible to use bcrypt with dovecot+postfix+mysql (or posgres)? -- Best regards, Charles
On 2012-01-03 3:40 PM, Charles Marcus <CMarcus at Media-Brokers.com> wrote:> Hi everyone, > > Was just perusing this article about how trivial it is to decrypt > passwords that are stored using most (standard) encryption methods (like > MD5), and was wondering - is it possible to use bcrypt with > dovecot+postfix+mysql (or posgres)?Ooop... forgot the link: http://codahale.com/how-to-safely-store-a-password/ But after perusing the wiki: http://wiki2.dovecot.org/Authentication/PasswordSchemes it appears not? Timo - any chance for adding support for it? Or is that web page incorrect? -- Best regards, Charles
md5 is deprecated, *nix has used sha1 for a while now
On 2012-01-03 4:03 PM, David Ford <david at blue-labs.org> wrote:> md5 is deprecated, *nix has used sha1 for a while nowThat link lumps sha1 in with MD5 and others: "Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?" -- Best regards, Charles
On 01/03/2012 09:40 PM Charles Marcus wrote:> Hi everyone, > > Was just perusing this article about how trivial it is to decrypt > passwords that are stored using most (standard) encryption methods (like > MD5), and was wondering - is it possible to use bcrypt with > dovecot+postfix+mysql (or posgres)?Yes it is possible to use bcrypt with dovecot. Currently you have only to write your password scheme plugin. The bcrypt algorithm is described at http://en.wikipedia.org/wiki/Bcrypt. If you are using Dovecot >= 2.0 'doveadm pw' supports the schemes: *BSD: Blowfish-Crypt *Linux (since glibc 2.7): SHA-256-Crypt and SHA-512-Crypt Some distributions have also added support for Blowfish-Crypt See also: doveadm-pw(1) If you are using Dovecot < 2.0 you can also use any of the algorithms supported by your system's libc. But then you have to prefix the hashes with {CRYPT} - not {{BLF,SHA256,SHA512}-CRYPT}. Regards, Pascal -- The trapper recommends today: deadbeef.1200501 at localdomain.org
On 01/04/12 21:06, Patrick Domack wrote:> > But still, the results are all the same, if they get the hash, it can be > broken, given time. Using more cpu expensive methods make it take longer > (like adding salt, more complex hash). But the end result is they will > have it if they want it. >Unless someone breaks either math or the hash algorithm, this is false. My password will be of little use to you in 10^20 years.