[Dovecot] Storing passwords encrypted... bcrypt?

Charles Marcus CMarcus at Media-Brokers.com
Wed Jan 4 03:25:02 EET 2012


On 2012-01-03 6:12 PM, WJCarpenter <bill-dovecot at carpenter.org> wrote:
> On 1/3/2012 2:38 PM, Simon Brereton wrote:
>> http://xkcd.com/936/
>
> As they saying goes, entropy ain't what it used to be.
>
> https://www.grc.com/haystack.htm
>
> However, both links actually illustrate the same point: once you get
> past dictionary attacks, the length of the password is dominant factor
> in the strength of the password against brute force attack.

I think ya'll are missing the point... not sure, because I'm still not 
completely sure that this is saying what I think it is saying (that's 
why I asked)...

I'm not worried about *active* brute force attacks against my server 
using the standard smtp or imap protocols - fail2ban takes care of those 
in a hurry.

What I'm worried about is the worst case scenario of someone getting 
ahold of the entire user database of *stored* passwords, where they can 
then take their time and brute force them at their leisure, on *their* 
*own* systems, without having to hammer my server over smtp/imap and 
without the automated limit of *my* fail2ban getting in their way.

As for people writing their passwords down... our policy is that it is a 
potentially *firable* *offense* (never even encountered one case of 
anyone posting their password, and I'm on these systems off and on all 
the time) if they do post these anywhere that is not under lock and key. 
Also, I always set up their email clients for them (on their 
workstations and on their phones - and of course tell it to remember the 
password, so they basically never have to enter it.

-- 

Best regards,

Charles



More information about the dovecot mailing list