search for: pbkdf2

Thank you for your reply. It's not that simple, though. Just because some core algorithms are standardised and should be compatible doesn't mean their use in different implementations leads to interoperable data. The key point here seems to be that Dovecot just supports SHA-1 with PBKDF2, not SHA-256. So I'm out of luck here. The different formats are no longer relevant then. CRYPT-SHA512 is not anywhere near as secure as PBKDF2. But I've read and learned a lot about secure password hashing in the past 24 hours. My initial point that PBKDF2 is the state of the art has...

In case you are interested, https://wiki.dovecot.org/HowTo/ConvertPasswordSchemes By the way, I am bit sceptical that CRYPT-SHA512 is less secure than PBKDF2. CRYPT-SHA512 is not "just" SHA512(salt||password), it does at least 1000 rounds of hashing in similar way as PBKDF2 does. So, what is your reasoning for claiming that PBKDF2 is much secure than CRYPT-SHA512? Also, if you look at hashcat cracking speeds, you'll see that the speed of...

...now, GDPR requires me to use a solid state-of-the-art solution. My OS is Ubuntu 20.04, Dovecot version 2.3.7, database backend with PostgreSQL 12. Obviously, storing the plaintext password is a terrible idea. SHA-based methods aren't suitable either. bcrypt has been recommended often [1]. PBKDF2 was preferred over bcrypt even more [2]. I'm managing all database contents with an ASP.NET Core application that implements the management user frontend. It's a bit hard to find bcrypt support for .NET (there are a few NuGet packages of unknown quality [3]). .NET does however implement...

...t; state-of-the-art solution. > > My OS is Ubuntu 20.04, Dovecot version 2.3.7, database backend with > PostgreSQL 12. > > Obviously, storing the plaintext password is a terrible idea. SHA-based > methods aren't suitable either. bcrypt has been recommended often [1]. > PBKDF2 was preferred over bcrypt even more [2]. I'm managing all > database contents with an ASP.NET Core application that implements the > management user frontend. It's a bit hard to find bcrypt support for > .NET (there are a few NuGet packages of unknown quality [3]). > > .N...

Hello All, I am trying to set multiple users with passwords for modifying grub2 menu entries at boot. I know I can set a "root" user grub2 password with grub2-setpassword. I have also been able to make a grub2 user password using the grub2-mkpasswd-pbkdf2 command and adding ??? set superusers="user1" to the /etc/grub.d/40_custom file. However, I have multiple user administrators that will possibly need access to grub at boot (i.e. to boot to single user mode to fix a broken configuration file). I've tried generating two different pa...

...: FATAL: Unknown authentication mechanism "ARGON2ID" Output from doveadm pw -l doveadm pw -l SHA1 SSHA512 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5 I assume I am making a stupid mistake, but I do not know what it is. -- Jerry

...ans you need a much longer password to mitigate them. Seems like it might be useful if OpenSSH at least had the option of using an encoding with some decent key stretching to me. Is there any good reason not to, and to not have it as the default? OpenSSH seems quite happy to accept PKCS8 keys with PBKDF2 currently, it just doesn't generate them. You just need to do it yourself e.g. http://martin.kleppmann.com/ssh-keys.html The keys generated in that article are also 3DES unfortunately but that's only because it's the default cipher here.

.../64 system with dovecot version 2.3.4 installed. I was playing around with different encryption schemes. doveadm pw -l SHA1 SSHA512 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR CLEARTEXT SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5 There is no mention of "argon2" shown. Now, from the command line I can enter this command: ~ $ echo -n "Secret-Password" | argon2 somesalt Type: Argon2i Iterations: 3 Memory: 4096 KiB Par...

...special-built for password hashing.? Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either...

I'm interested in using authentication via a UNIX socket as documented at http://wiki2.dovecot.org/AuthDatabase/Dict. (We are currently using a checkpassword script to enable us to authenticate against a django app that stores passwords in pbkdf2 format, but I'm concerned about scalability as we grow - specifically the comment about performance on http://wiki2.dovecot.org/AuthDatabase/CheckPassword). The example clearly shows retrieving a password, but is there some way to validate a password that was provided the way a checkpassword s...

...s >> not supported on my CentOS7 system: >> >> # doveadm pw -l >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >> SHA256-CRYPT SHA512-CRYPT >> >> Of course SHA3 is not listed either... >> >> > ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are...

...> I was playing around with different encryption schemes. > > doveadm pw -l > SHA1 SSHA512 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA > MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR > CLEARTEXT SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT > SMD5 DIGEST-MD5 LDAP-MD5 > > There is no mention of "argon2" shown. Now, from the command line I can enter > this command: > > ~ $ echo -n "Secret-Password" | argon2 somesalt > Type:...

...: -shadow -bsdauth -ldap userdbs ........ : static prefetch passwd passwd-file checkpassword sql sudo doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 CLEAR CLEARTEXT SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SMD5 DIGEST-MD5 LDAP-MD5 How do I get ARGON2I, ARGON2ID in that list? Has anybody got Dovecot to work on recent macOS with these password schemes? Any hints? Thanks, James. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://do...

...ovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root at klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Previously installed argon2: grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl -------------- next part --------------...

...-shadow -bsdauth -ldap > userdbs ........ : static prefetch passwd passwd-file checkpassword sql > > > sudo doveadm pw -l > SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 CLEAR CLEARTEXT SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SMD5 DIGEST-MD5 LDAP-MD5 > > How do I get ARGON2I, ARGON2ID in that list? > > Has anybody got Dovecot to work on recent macOS with these password schemes? Any hints? > > Thanks, James. You need to use --with-sodium when building. Aki

...s >> not supported on my CentOS7 system: >> >> # doveadm pw -l >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >> SHA256-CRYPT SHA512-CRYPT >> >> Of course SHA3 is not listed either... >> >> > ARGON2 support is added in dovecot v2.3. It also needs to be enabled > when compiling dovecot, so varying from packagers it might or not be > available. The CRYPT ones are...

...+ quota: Added quota_over_flag_lazy_check setting. It avoids checking quota_over_flag always at startup. Instead it's checked only when quota is being read for some other purpose. + auth: Added a new auth policy service: http://wiki2.dovecot.org/Authentication/Policy + auth: Added PBKDF2 password scheme + auth: Added %{auth_user}, %{auth_username} and %{auth_domain} + auth: Added ":remove" suffix to extra field names to remove them. + auth: Added "delay_until=<timestamp>[+<max random secs>]" passdb extra field. The auth will wait until <time...

...+ quota: Added quota_over_flag_lazy_check setting. It avoids checking quota_over_flag always at startup. Instead it's checked only when quota is being read for some other purpose. + auth: Added a new auth policy service: http://wiki2.dovecot.org/Authentication/Policy + auth: Added PBKDF2 password scheme + auth: Added %{auth_user}, %{auth_username} and %{auth_domain} + auth: Added ":remove" suffix to extra field names to remove them. + auth: Added "delay_until=<timestamp>[+<max random secs>]" passdb extra field. The auth will wait until <time...

We still have MD5 as our default password hash, even though known-hash attacks against MD5 are relatively easy these days. We've supported SHA256 and SHA512 for many years now, so how about making SHA512 the default instead of MD5, like on most Linux distributions? Index: etc/login.conf =================================================================== --- etc/login.conf (revision

...ystem: >>>> >>>> # doveadm pw -l >>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT >>>> SHA256-CRYPT SHA512-CRYPT >>>> >>>> Of course SHA3 is not listed either... >>>> >>>> >>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled >>> when compiling dovecot, so varying from packager...