[Dovecot] Storing passwords encrypted... bcrypt?

Willie Gillespie wgillespie at es2eng.com
Thu Jan 5 18:21:45 EET 2012


On 1/5/2012 9:14 AM, Charles Marcus wrote:
> On 2012-01-05 10:28 AM, Michael Orlitzky <michael at orlitzky.com> wrote:
>> On 01/05/12 06:26, Charles Marcus wrote:
>>>> You realize they're just walking around with a $400 post-it note with
>>>> the password written on it, right?
>
>>> Nope, you are wrong - as I have patiently explained before. They do not
>>> *need* to write their password down.
>
>> They have them written down on their phones. If someone gets a hold of
>> the phone, he can just read the password off of it.
>
> <sigh> No, they don't, your claim is baseless and without merit.
>
> Most people have never even known what their password *is*, much less
> written it down, because as I said (more than once), *I* set up their
> email clients (workstations, home computers and phones) *for them*.

If the phone knows the password and I have the phone, then I have the 
password.  Similarly, if I compromise the workstation that knows the 
password, then I also have the password.

Even if the user doesn't know the password, the phone/workstation does. 
  And it has to be stored in a retrievable way.

That's what he's trying to say when he was talking about a "$400 post-it 
note."



More information about the dovecot mailing list