[Dovecot] Storing passwords encrypted... bcrypt?

David Ford david at blue-labs.org
Wed Jan 4 03:37:21 EET 2012


On 01/03/2012 08:25 PM, Charles Marcus wrote:
>
> I think ya'll are missing the point... not sure, because I'm still not
> completely sure that this is saying what I think it is saying (that's
> why I asked)...
>
> I'm not worried about *active* brute force attacks against my server
> using the standard smtp or imap protocols - fail2ban takes care of
> those in a hurry.
>
> What I'm worried about is the worst case scenario of someone getting
> ahold of the entire user database of *stored* passwords, where they
> can then take their time and brute force them at their leisure, on
> *their* *own* systems, without having to hammer my server over
> smtp/imap and without the automated limit of *my* fail2ban getting in
> their way.
>
> As for people writing their passwords down... our policy is that it is
> a potentially *firable* *offense* (never even encountered one case of
> anyone posting their password, and I'm on these systems off and on all
> the time) if they do post these anywhere that is not under lock and
> key. Also, I always set up their email clients for them (on their
> workstations and on their phones - and of course tell it to remember
> the password, so they basically never have to enter it.

perhaps.  part of my point along that of brute force resistance, is that
when security becomes onerous to the typical user such as requiring
non-repeat passwords of "10 characters including punctuation and mixed
case", even stalwart policy followers start tending toward avoiding it. 
if anyone has a stressful job, spends a lot of time working, missing
sleep, is thereby prone to memory lapse, it's almost a sure guarantee
they *will* write it down/store it somewhere -- usually not in a
password safe.  or, they'll export their saved passwords to make a
backup plain text copy, and leave it on their Desktop folder but coyly
named and prefixed with a few random emails to grandma, so mr. sysadmin
doesn't notice it.

on a tangent, you should worry about active brute force attacks. 
fail2ban and iptables heuristics become meaningless when the brute
forcing is done by bot nets which is more and more common than
single-host attacks these days.  one IP per attempt in a 10-20 minute
window will probably never trigger any of these methods.




More information about the dovecot mailing list