[Dovecot] CRYPT scheme and 8 character limit

Phil Howard ttiphil at gmail.com
Fri May 7 21:16:01 EEST 2010


I've decided that having users supply cleartext passwords for me to encrypt
and encode is a bad idea, anyway.  So maybe I won't need dovecotpw.  The
idea is that users supply an already-encrypted password.  Most of the users
can fetch their login password from /etc/shadow on their own computer.

Wiki page http://wiki.dovecot.org/Authentication/PasswordSchemes indicates
that scheme name CRYPT is the one that uses the libc crypt() function.  But
it also says it uses no more than 8 characters.  Then there is MD5-CRYPT.
But that doesn't call crypt(), I presume.  No limit on password size is
indicated.  But this at least looks like SOME of the encrypted passwords I
have.

Other passwords I have have ids indicating SHA-256 and SHA-512.  Here is an
example from /etc/shadow that encrypted the clear password
"dovecotandpostfix" (in case it is necessary to test it):

$6$IwZzpjjj$p1VrkxQmgmTED8iQnQrV3sVEZpBmw2N8oD1ykOguXB5tf8aahICesX0TF6.VMThIW2QFs1buHjT3eDtnaAFhF1

The big question is, what scheme name should I use for these passwords?  I
can, of course, consider the id (6 in the above example, suggesting SHA-512)
if there is one (so far all are like this).  But the other consideration is
most of the passwords are longer than 8, some longer than 12, characters.
So apparently CRYPT can't be used in those cases (so I can't have the
automatic identification of crypt() to detect the scheme).

What scheme would I use for the various passwords?  What scheme would be
used for the above example for starters?  What if the id is 5 or 1 (the ones
documented for the crypt() call)?


More information about the dovecot mailing list