[dovecot] Re: Some experiences

Amelia A.Lewis amyzing at talsever.com
Mon Jan 6 02:00:29 EET 2003

On 05 Jan 2003 18:48:01 -0500 "David E. Storey" <dave at tamos.net> wrote:

> While digest-md5 is fairly secure from a transport perspective, it's a
> nightmare on the server side. In order for it to work, you've got to
> store account passwords in plain text on the server. In my opinion, this
> is "plain" wrong. (pun intended) Passwords should be hashed: even for
> closed systems. The fallacy lies with the wetware and people tend to

Umm, forgive me, but as I understand DIGEST-MD5, it does store hashed. 
Are you thinking of CRAM-MD5?  As far as I know, that requires
plain-text storage on the server, and I agree with your criticisms.  I
happen to like DIGEST-MD5 because it looks like someone finally came
along and got the SASL auth mechanism right.

But perhaps I'm the one that's mistaken.

Amelia A. Lewis                    amyzing {at} talsever.com
Never imagine yourself not to be otherwise than what it might appear to
others that what you were or might have been was not otherwise than what
you had been would have appeared to them to be otherwise.
                -- The Duchess [Lewis Carroll]

More information about the dovecot mailing list