[Dovecot] Storing passwords encrypted... bcrypt?

[Charles Marcus]

On 2012-01-03 8:58 PM, Michael Orlitzky <michael at orlitzky.com> wrote:
> On 01/03/2012 08:25 PM, Charles Marcus wrote:
>> What I'm worried about is the worst case scenario of someone getting
>> ahold of the entire user database of *stored* passwords, where they can
>> then take their time and brute force them at their leisure, on *their*
>> *own* systems, without having to hammer my server over smtp/imap and
>> without the automated limit of *my* fail2ban getting in their way.

> To prevent rainbow table attacks, salt your passwords. You can make them
> a little bit more difficult in plenty of ways, but salt is the /solution/.

Go read that link (you obviously didn't yet, because he claims that 
salting passwords is next to *useless*...

>> As for people writing their passwords down... our policy is that it is a
>> potentially *firable* *offense* (never even encountered one case of
>> anyone posting their password, and I'm on these systems off and on all
>> the time) if they do post these anywhere that is not under lock and key.
>> Also, I always set up their email clients for them (on their
>> workstations and on their phones - and of course tell it to remember the
>> password, so they basically never have to enter it.

> You realize they're just walking around with a $400 post-it note with
> the password written on it, right?

Nope, you are wrong - as I have patiently explained before. They do not 
*need* to write their password down.

-- 

Best regards,

Charles