[Dovecot] Storing passwords encrypted... bcrypt?

Patrick Domack patrickdk at patrickdk.com
Thu Jan 5 16:53:38 EET 2012


Quoting Noel Butler <noel.butler at ausics.net>:

> On Thu, 2012-01-05 at 04:05 +0100, Pascal Volk wrote:
>
>> On 01/05/2012 03:36 AM Noel Butler wrote:
>>
>> >
>> > Because with multiple servers, we store them all in (replicated)
>> > mysql :)  (the same with postfix/dovecot).
>> > and as I'm sure you are aware, Apache does not understand standard
>> > crypted MD5, hence why there is the second option of apache_md5_crypt()
>>
>> Oh, let me guess: You are using Windows, Netware, TPF as OS for your
>> web servers? ;-)
>>
>> man htpasswd | grep -- '-d  '
>>        -d     Use crypt() encryption for passwords. This is not  
>> supported by the httpd server on Windows and Netware and TPF.
>>
>>
>> As you may have seen in my previous mail, the password is generated
>> using crypt(). HTTP Authentication works with that password hash, even
>> with the httpd from the ASF.
>>
>
>
> I think you need to do some homework, and although I now have 3.25 days
> of holidays remaining, I don't intend to waste them educating anybody
> hehe. Assuming you even know what I'm talking about, which I suspect you
> don't since you keep using console commands and things like htpasswd,
> which does not write to a mysql db, you don't seem to have comprehended
> that I do not work with flat files nor local so it is irrelevant, I use
> perl scripts for all systems management, so I hope you are not going to
> suggest that I should make a system call when I can do it natively in
> perl.
>
> But please, by all means, create a mysql db using a system crpyted md5
> password, I'll even help ya, openssl passwd -1  foobartilly
>
> $1$e3a.f3uW$SYRQiMlEhC5XlnSxtxiNC/
>
> pop the entry into the db and go for your life trying to authenticate.
>
>
> and when you've gone through half bottle of bourbon trying to figure out
> why its not working, try the apache crypted md5 version $apr1$yKxk.DrQ
> $ybcmM8mC1qD5t5FvoY9820

Mysql supports crypt right in it, so you can just submit the password  
to the mysql crypt function. We know perl has to support it also.

The first thing I did when I was hired was to convert the password  
database from md5 to $6$. After that, I secured the machines that  
could and majorly limited what ones of them could get access to the  
list. About a month or two after this, we had about a thousand  
accounts compromised. So someone obviously got the list in how the old  
system was set, as every compromised password contains only lowercase  
letters less than 8 long.


I wont say salted anything is bad, but keep the salt lengths up. Start  
with 8bytes atleast.

crypts new option to support rounds also makes it a lot of fun, too  
bad I haven't seen consistant support for it yet, so I haven't been  
able to make use of that option.




More information about the dovecot mailing list