[Dovecot] Problem with passwords surrounded by curly braces

Benjamin R. Haskell dovecot at benizi.com
Tue Jan 8 06:38:45 EET 2008


On Mon, 7 Jan 2008, Frank Kintrup wrote:

> Hello,
>
> one of my users set his password to something surrounded by curly braces,
> and promptly all access to his mailbox was refused. After looking through
> the logs I found an entry "Unknown password scheme xxxx", where "xxxx"
> is the user's password, but without the curly braces.
> I then browsed through the documentation and there was explained that it
> is possible to prefix the password with the password scheme in curly
> braces, like "{PLAIN}xxxx" where xxxx is the password itself.
>
> Manually altering the users password in the database to "{PLAIN}xxxx"
> (where "xxxx" is the user's password WITH curly braces) fixed this problem
> for me at this time, but the time a user chooses such a strange password
> I would have to edit the table again. So in my opinion the {SCHEME}-prefix
> is not a useful thing. Why would anyone need it, anyway? Shouldn't all
> passwords have the same scheme which is set in the dovecot.conf file once?
>
> If the feature is indeed used: with a database lookup it should be
> replaced by an optional database field or, if that's not possible, it
> should be possible to disable this feature from the config file.
>
>
> Frank
>

Regardless of how secure your password file/database might be, it seems 
like a bad idea to enter users' passwords in plain text. Use something 
else. With the other schemes it's at least a huge annoyance for an 
attacker to recover a password. But, you can still easily set the 
passwords to known values as an administrator. (That's the whole point of 
a one-way hash like 'crypt' or 'MD5'.)

Best,
Ben


More information about the dovecot mailing list