[Dovecot] salted passwords

[Leonardo Rodrigues]

     The idea of salted hash algorithms is to generate a different hash 
even if the same text is entered. That can be easily seen with dovecotpw:


     using NON-salted SHA256, same hash is generated for a given password

[root at correio ~]# dovecotpw -s SHA256 -p 123
{SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
[root at correio ~]# dovecotpw -s SHA256 -p 123
{SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
[root at correio ~]# dovecotpw -s SHA256 -p 123
{SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
[root at correio ~]#

using SALTED SHA256, a different hash is generated for the same given 
password

[root at correio ~]# dovecotpw -s SSHA256 -p 123
{SSHA256}FpJZqafpEVKp2heepp9Z7+OeHaX+DBVpLzd6GKg3BW1XqDS0
[root at correio ~]# dovecotpw -s SSHA256 -p 123
{SSHA256}6lWmvtO3SKG5RMET5n89WMIp0xeCg3U14xH1xnAXbvkr8Yjk
[root at correio ~]# dovecotpw -s SSHA256 -p 123
{SSHA256}7fXVjC7Iiu0Ko9SgyBpbDvbwMSkoxMILRjDUE0nNpCHBFaIa
[root at correio ~]#


     This ideia is OK to me ...

     but i'm having a hard time trying to figure out how my 
dovecot-sql.conf would be in the case i store salted SHA256 passwords on 
the database. The idea is to use a RANDOM salt, not a fixed one, just 
like dovecotpw does.

     would it be as simple as changing the 'password', which today is 
plaintext, by something like

concat('{SHA256}',password)   ???

     dont i have to give the salt, somehow ?? Or should i store the salt 
used in the password, for example first or last N characters ....

     is there anyone using dovecot with MySQL and SSHA256 passwords that 
can share me the dovecot-sql.conf file ?





-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it