Need help in understanding auth digest-md5 and realm

Admin Beckspaced admin at beckspaced.com
Sat Oct 28 17:47:55 EEST 2017


On 28.10.2017 12:24, Alex JOST wrote:
> Am 28.10.2017 um 08:30 schrieb Admin Beckspaced:
>>
>>
>> On 27.10.2017 20:35, Aki Tuomi wrote:
>>>> On October 27, 2017 at 6:00 PM Admin Beckspaced 
>>>> <admin at beckspaced.com> wrote:
>>>>
>>>>
>>>> Hello dovecot community,
>>>> ...
>>>>
>>>> If someone could shed some light on this I would be more than 
>>>> grateful ;)
>>>>
>>>> Thanks & greetings
>>>> Becki
>>> We actually discovered that Android has a bug with DIGEST-MD5, which 
>>> Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really 
>>> good idea with SSL anyways.
>>>
>>> Aki
>>>
>>>
>> Hello Aki,
>> thanks for your reply ... so if there's a bug which Google won't fix 
>> it's perhaps best to not offer digest-md5?
>> what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 
>> with SSL?
>
> Those methods encrypt the password itself which was a good thing back 
> in the days when most connections were unencrypted. The disadvantage 
> is that they require the password to be saved in cleartext.
>
> If you can enforce an encrypted connection it is better to use 
> PLAIN/LOGIN and save the passwords as hashes (preferably with salts).
>
Thanks for your explanation ;)


More information about the dovecot mailing list