[Dovecot] Storing passwords encrypted... bcrypt?
Michael Orlitzky
michael at orlitzky.com
Wed Jan 4 03:58:51 EET 2012
On 01/03/2012 08:25 PM, Charles Marcus wrote:
>
> What I'm worried about is the worst case scenario of someone getting
> ahold of the entire user database of *stored* passwords, where they can
> then take their time and brute force them at their leisure, on *their*
> *own* systems, without having to hammer my server over smtp/imap and
> without the automated limit of *my* fail2ban getting in their way.
To prevent rainbow table attacks, salt your passwords. You can make them
a little bit more difficult in plenty of ways, but salt is the /solution/.
> As for people writing their passwords down... our policy is that it is a
> potentially *firable* *offense* (never even encountered one case of
> anyone posting their password, and I'm on these systems off and on all
> the time) if they do post these anywhere that is not under lock and key.
> Also, I always set up their email clients for them (on their
> workstations and on their phones - and of course tell it to remember the
> password, so they basically never have to enter it.
You realize they're just walking around with a $400 post-it note with
the password written on it, right?
More information about the dovecot
mailing list