Password encription

j.emerlik j.emerlik at gmail.com
Fri Oct 27 11:50:17 EEST 2017


You mean that today they using encrypted passwords to seeing
who has same passwords using brute force, hashes dictionary attack ?

2017-10-27 8:57 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:

> The use of salt, today, is to prevent the attacker from directly seeing
> who has same passwords. Of course it also will make a rainbow table
> attack less useful, but then again, no one uses rainbow tables anymore
> since it takes about few minutes to brute force a password in the cloud
> or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds
> on dovecot, to make it more computationally expensive, but still it's
> not very strong protection anymore.
>
> MD5 with or without salt can be attacked at passwords per second speed,
> so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with
> MD5 should not be used for passwords these days.
>
> With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and
> also adding support for ARGON2 when you have libsodium available.
>
> Aki
>
>
> On 27.10.2017 09:44, j.emerlik wrote:
> > Aki,
> > if I understand it well, salt is useful when database is/was stolen ?
> > Then thief can use eg. rainbow tables to decrypt passwords.
> > Regards,
> > Jack
> >
> > 2017-10-27 7:42 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >
> >>
> >> On 27.10.2017 08:37, @lbutlr wrote:
> >>> On 25 Oct 2017, at 03:11, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >>>> SHA512-CRYPT and PLAIN/LOGIN with SSL.
> >>> I’m happy with SHA256-CRYPT and PLAIN/LOGIN.
> >>>
> >> Yes. SHA256-CRYPT is good too. It was just recommendation over using
> >> CRAM-MD5, use anything with salt.
> >>
> >> Aki
> >>
>


More information about the dovecot mailing list