[Dovecot] salted passwords

Nick Rosier nick+dovecot at bunbun.be
Sun Feb 14 12:56:24 EET 2010


Leonardo Rodrigues wrote:
>     The idea of salted hash algorithms is to generate a different hash 
> even if the same text is entered. That can be easily seen with dovecotpw:
>
>
>     using NON-salted SHA256, same hash is generated for a given password
>
> [root at correio ~]# dovecotpw -s SHA256 -p 123
> {SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
> [root at correio ~]# dovecotpw -s SHA256 -p 123
> {SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
> [root at correio ~]# dovecotpw -s SHA256 -p 123
> {SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM=
> [root at correio ~]#
>
> using SALTED SHA256, a different hash is generated for the same given 
> password
>
> [root at correio ~]# dovecotpw -s SSHA256 -p 123
> {SSHA256}FpJZqafpEVKp2heepp9Z7+OeHaX+DBVpLzd6GKg3BW1XqDS0
> [root at correio ~]# dovecotpw -s SSHA256 -p 123
> {SSHA256}6lWmvtO3SKG5RMET5n89WMIp0xeCg3U14xH1xnAXbvkr8Yjk
> [root at correio ~]# dovecotpw -s SSHA256 -p 123
> {SSHA256}7fXVjC7Iiu0Ko9SgyBpbDvbwMSkoxMILRjDUE0nNpCHBFaIa
> [root at correio ~]#
>
>
>     This ideia is OK to me ...
>
>     but i'm having a hard time trying to figure out how my 
> dovecot-sql.conf would be in the case i store salted SHA256 passwords 
> on the database. The idea is to use a RANDOM salt, not a fixed one, 
> just like dovecotpw does.
>
>     would it be as simple as changing the 'password', which today is 
> plaintext, by something like
>
> concat('{SHA256}',password)   ???
>
>     dont i have to give the salt, somehow ?? Or should i store the 
> salt used in the password, for example first or last N characters ....
>
>     is there anyone using dovecot with MySQL and SSHA256 passwords 
> that can share me the dovecot-sql.conf file ? 
How about just putting

default_pass_scheme = SSHA256

in your dovecot-sql file? I do it that way for CRAM-MD5.

Rgds,
N.


More information about the dovecot mailing list