[Dovecot] Storing passwords encrypted... bcrypt?
Simon Brereton
simon.brereton at buongiorno.com
Wed Jan 4 00:38:36 EET 2012
On 3 January 2012 17:30, Charles Marcus <CMarcus at media-brokers.com> wrote:
> On 2012-01-03 5:10 PM, WJCarpenter <bill-dovecot at carpenter.org> wrote:
>>
>> In his description, he uses the example of passwords which are
>> "lowercase, alphanumeric, and 6 characters long" (and in another place
>> the example is "lowercase, alphabetic passwords which are ≤7
>> characters", I guess to illustrate that things have gotten faster). If
>> you are allowing your users to create such weak passwords, using bcrypt
>> will not save you/them. Attackers will just be wasting more of your CPU
>> time making attempts. If they get a copy of your hashed passwords,
>> they'll likely be wasting their own CPU time, but they have plenty of
>> that, too.
>
>
> I require strong passwords of 15 characters in length. Whats more, they are
> assigned (by me), and the user cannot change it. But, he isn't talking about
> brute force attacks against the server. He is talking about if someone
> gained access to the SQL database where the passwords are stored (as has
> happened countless times in the last few years), and then had the luxury of
> brute forcing an attack locally (on their own systems) against your password
> database.
24+ would be better..
http://xkcd.com/936/
Simon
More information about the dovecot
mailing list