Was there any reason for this message to be HTML-only?
On Wed, Mar 18, 2020 at 07:13:12AM +0200, Aki Tuomi
wrote:> <!doctype html>
> <html>
> <head>
> <meta charset="UTF-8">
> </head>
> <body>
> <div>
> <br>
> </div>
> <blockquote type="cite">
> <div>
> On 18/03/2020 00:06 Rupert Gallagher <ruga at
protonmail.com> wrote:
> </div>
> <div>
> <br>
> </div>
> <div>
> <br>
> </div>
> <br>> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4,
LANMAN, NTLM, SMD5
> <br>
> <br>The web is flooded with plain text passwords and hashed
passwords harvested from hacked servers.
> <br>
> <br>Dovecot stores passwords with the same scheme used for client
authentication.
> <br>
> <br>Therefore, we use crammd5/hmac-md5. It does not look like
much, but is better than plaintext.
> <br>
> <br>As md5 is about to go, and I have no intention to store
passwords in plaintext, I need to split the scheme used to store passwords from
the scheme used for authentication, and migrate storage from md5 to bcrypt.
> <br>
> <br>Since this is not possible, I think I will drop passwords
entirely and use certificates.
> <br>
> <br>
> </blockquote>
> <div>
> <br>
> </div>
> <div>
> We are not removing CRAM-MD5/DIGEST-MD5/S-CRAM-SHA-1 or S-CRAM-SHA-256.
Also just plain MD5 is still staying.
> </div>
> <div class="io-ox-signature">
> <pre>---
> Aki Tuomi</pre>
> </div>
> </body>
> </html>