Headsup on feature removal - password

Rupert Gallagher ruga at protonmail.com
Wed Mar 18 00:06:39 EET 2020


> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

The web is flooded with plain text passwords and hashed passwords harvested from hacked servers.

Dovecot stores passwords with the same scheme used for client authentication.

Therefore, we use crammd5/hmac-md5. It does not look like much, but is better than plaintext.

As md5 is about to go, and I have no intention to store passwords in plaintext, I need to split the scheme used to store passwords from the scheme used for authentication, and migrate storage from md5 to bcrypt.

Since this is not possible, I think I will drop passwords entirely and use certificates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200317/dee7981b/attachment.html>


More information about the dovecot mailing list