Headsup on feature removal - password
Hendrik Boom
hendrik at topoi.pooq.com
Wed Mar 18 15:51:51 EET 2020
Was there any reason for this message to be HTML-only?
On Wed, Mar 18, 2020 at 07:13:12AM +0200, Aki Tuomi wrote:
> <!doctype html>
> <html>
> <head>
> <meta charset="UTF-8">
> </head>
> <body>
> <div>
> <br>
> </div>
> <blockquote type="cite">
> <div>
> On 18/03/2020 00:06 Rupert Gallagher <ruga at protonmail.com> wrote:
> </div>
> <div>
> <br>
> </div>
> <div>
> <br>
> </div>
> <br>> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5
> <br>
> <br>The web is flooded with plain text passwords and hashed passwords harvested from hacked servers.
> <br>
> <br>Dovecot stores passwords with the same scheme used for client authentication.
> <br>
> <br>Therefore, we use crammd5/hmac-md5. It does not look like much, but is better than plaintext.
> <br>
> <br>As md5 is about to go, and I have no intention to store passwords in plaintext, I need to split the scheme used to store passwords from the scheme used for authentication, and migrate storage from md5 to bcrypt.
> <br>
> <br>Since this is not possible, I think I will drop passwords entirely and use certificates.
> <br>
> <br>
> </blockquote>
> <div>
> <br>
> </div>
> <div>
> We are not removing CRAM-MD5/DIGEST-MD5/S-CRAM-SHA-1 or S-CRAM-SHA-256. Also just plain MD5 is still staying.
> </div>
> <div class="io-ox-signature">
> <pre>---
> Aki Tuomi</pre>
> </div>
> </body>
> </html>
More information about the dovecot
mailing list