[Dovecot] Storing passwords encrypted... bcrypt?
Michael Orlitzky
michael at orlitzky.com
Thu Jan 5 18:31:17 EET 2012
On 01/05/12 11:14, Charles Marcus wrote:
>
> Ummm... yes, he does... from tfa:
>
> "Salts Will Not Help You
>
> It’s important to note that salts are useless for preventing dictionary
> attacks or brute force attacks. You can use huge salts or many salts or
> hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t
> affect how fast an attacker can try a candidate password, given the hash
> and the salt from your database.
>
> Salt or no, if you’re using a general-purpose hash function designed for
> speed you’re well and truly effed."
Ugh, sorry. I went to the link that someone else quoted:
https://www.grc.com/haystack.htm
The article you posted is correct. Salt will not prevent brute-force
search, but it isn't meant to. Salt is meant to prevent the attacker
from using precomputed tables of hashed passwords, called rainbow tables.
To prevent brute-force search, you use a better algorithm, like the
author says.
>> but he's a crackpot anyway.
Gibson *is* a renowned crackpot.
> Why? I asked because I'm genuinely unsure (don't know enough about the
> innards of the different encryption methods), and that's why I asked.
> Simply saying he's a crackpot means nothing.
>
> Also...
>
>> Use a slow algorithm (others already mentioned bcrypt)to prevent
>> brute-force search,
>
> Actually, that (bcrypt) is precisely what *the author of the article*
> (the one who you are saying is a crackpot) is suggesting to use - I
> guess you didn't even bother to read it or else you'd know that, so why
> bother commenting?
Again, sorry, I don't always know how to work my email client.
>
> I don't see it as an extraordinary claim, and anyone who goes around
> claiming someone else is a crackpot without evidence to support the
> claim is just yammering.
>
Your article is fine, but you should always be skeptical because for
every article like the one you posted, there are 100 like Gibson's.
>
> <sigh> No, they don't, your claim is baseless and without merit.
>
> Most people have never even known what their password *is*, much less
> written it down, because as I said (more than once), *I* set up their
> email clients (workstations, home computers and phones) *for them*.
>
The password is on the phone, in plain text. If I have the phone, I can
read it as easily as if it was written in sharpie.
More information about the dovecot
mailing list