[Dovecot] Storing passwords encrypted... bcrypt?

Charles Marcus CMarcus at Media-Brokers.com
Thu Jan 5 18:14:20 EET 2012 

On 2012-01-05 10:28 AM, Michael Orlitzky <michael at orlitzky.com> wrote:
> On 01/05/12 06:26, Charles Marcus wrote:
>>> To prevent rainbow table attacks, salt your passwords. You can make them
>>> a little bit more difficult in plenty of ways, but salt is the
>>> /solution/.

>> Go read that link (you obviously didn't yet, because he claims that
>> salting passwords is next to *useless*...

> He doesn't claim that,

Ummm... yes, he does... from tfa:

"Salts Will Not Help You

It’s important to note that salts are useless for preventing dictionary 
attacks or brute force attacks. You can use huge salts or many salts or 
hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t 
affect how fast an attacker can try a candidate password, given the hash 
and the salt from your database.

Salt or no, if you’re using a general-purpose hash function designed for 
speed you’re well and truly effed."

> but he's a crackpot anyway.

Why? I asked because I'm genuinely unsure (don't know enough about the 
innards of the different encryption methods), and that's why I asked. 
Simply saying he's a crackpot means nothing.

Also...

> Use a slow algorithm (others already mentioned bcrypt)to prevent
 > brute-force search,

Actually, that (bcrypt) is precisely what *the author of the article* 
(the one who you are saying is a crackpot) is suggesting to use - I 
guess you didn't even bother to read it or else you'd know that, so why 
bother commenting?

> and use salt to prevent pre-computed lookups. Anyone who tells you
> otherwise can probably be ignored.  Extraordinary claims require
> extraordinary evidence.

I don't see it as an extraordinary claim, and anyone who goes around 
claiming someone else is a crackpot without evidence to support the 
claim is just yammering.

>>> You realize they're just walking around with a $400 post-it note with
>>> the password written on it, right?

>> Nope, you are wrong - as I have patiently explained before. They do not
>> *need* to write their password down.

> They have them written down on their phones. If someone gets a hold of
> the phone, he can just read the password off of it.

<sigh> No, they don't, your claim is baseless and without merit.

Most people have never even known what their password *is*, much less 
written it down, because as I said (more than once), *I* set up their 
email clients (workstations, home computers and phones) *for them*.

-- 

Best regards,

Charles

More information about the dovecot mailing list