[Dovecot] Storing passwords encrypted... bcrypt?

Michael Orlitzky michael at orlitzky.com
Thu Jan 5 18:31:17 EET 2012


On 01/05/12 11:14, Charles Marcus wrote:
> 
> Ummm... yes, he does... from tfa:
> 
> "Salts Will Not Help You
> 
> It’s important to note that salts are useless for preventing dictionary
> attacks or brute force attacks. You can use huge salts or many salts or
> hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t
> affect how fast an attacker can try a candidate password, given the hash
> and the salt from your database.
> 
> Salt or no, if you’re using a general-purpose hash function designed for
> speed you’re well and truly effed."

Ugh, sorry. I went to the link that someone else quoted:

  https://www.grc.com/haystack.htm

The article you posted is correct. Salt will not prevent brute-force
search, but it isn't meant to. Salt is meant to prevent the attacker
from using precomputed tables of hashed passwords, called rainbow tables.

To prevent brute-force search, you use a better algorithm, like the
author says.


>> but he's a crackpot anyway.

Gibson *is* a renowned crackpot.


> Why? I asked because I'm genuinely unsure (don't know enough about the
> innards of the different encryption methods), and that's why I asked.
> Simply saying he's a crackpot means nothing.
> 
> Also...
> 
>> Use a slow algorithm (others already mentioned bcrypt)to prevent
>> brute-force search,
> 
> Actually, that (bcrypt) is precisely what *the author of the article*
> (the one who you are saying is a crackpot) is suggesting to use - I
> guess you didn't even bother to read it or else you'd know that, so why
> bother commenting?

Again, sorry, I don't always know how to work my email client.


> 
> I don't see it as an extraordinary claim, and anyone who goes around
> claiming someone else is a crackpot without evidence to support the
> claim is just yammering.
> 

Your article is fine, but you should always be skeptical because for
every article like the one you posted, there are 100 like Gibson's.


> 
> <sigh> No, they don't, your claim is baseless and without merit.
> 
> Most people have never even known what their password *is*, much less
> written it down, because as I said (more than once), *I* set up their
> email clients (workstations, home computers and phones) *for them*.
> 

The password is on the phone, in plain text. If I have the phone, I can
read it as easily as if it was written in sharpie.


More information about the dovecot mailing list