On 18/03/2020 00:06 Rupert Gallagher <ruga@protonmail.com> wrote:
> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5
The web is flooded with plain text passwords and hashed passwords harvested from hacked servers.
Dovecot stores passwords with the same scheme used for client authentication.
Therefore, we use crammd5/hmac-md5. It does not look like much, but is better than plaintext.
As md5 is about to go, and I have no intention to store passwords in plaintext, I need to split the scheme used to store passwords from the scheme used for authentication, and migrate storage from md5 to bcrypt.
Since this is not possible, I think I will drop passwords entirely and use certificates.
We are not removing CRAM-MD5/DIGEST-MD5/S-CRAM-SHA-1 or S-CRAM-SHA-256. Also just plain MD5 is still staying.