[Dovecot] salted passwords

tomas at tuxteam.de tomas at tuxteam.de
Sun Feb 14 08:53:55 EET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Feb 13, 2010 at 10:09:34PM -0200, Leonardo Rodrigues wrote:
>
>     The idea of salted hash algorithms is to generate a different hash even 
> if the same text is entered. That can be easily seen with dovecotpw:

I don't know about dovecot's algorithm especially, but the idea about
salt is that you store the salt along with the password (typically the
few first chars, say two). And indeed, if you compare the lengths of
your unsalted vs. salted variants:

unsalted:
> pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
salted:
> FpJZqafpEVKp2heepp9Z7+OeHaX+DBVpLzd6GKg3BW1XqDS0

there seem to be a couple of chars more in the salted variant. The
algorithm for checking is just: cut off the salt, merge with provided
password, digest (SHA), compare to stored hashed password.

>     but i'm having a hard time trying to figure out how my dovecot-sql.conf 
> would be in the case i store salted SHA256 passwords on the database. The 
> idea is to use a RANDOM salt, not a fixed one, just like dovecotpw does.

>     would it be as simple as changing the 'password', which today is 
> plaintext, by something like
>
> concat('{SHA256}',password)   ???
>
>     dont i have to give the salt, somehow ?? Or should i store the salt 
> used in the password, for example first or last N characters ....

No, just let Dovecot's algorithm do the generation (and later checking)
of the password? (I might be misunderstanding your problem, though).

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLd54DBcgs9XrR2kYRAnUGAJwOjHhCdhOZCMH/5YkFnQbXq7satQCfTNbn
8v9/1zO1R64StmAFF/vV5so=
=KbUx
-----END PGP SIGNATURE-----


More information about the dovecot mailing list