On Mon, 7 Jan 2008, Frank Kintrup wrote:
Hello,
one of my users set his password to something surrounded by curly braces, and promptly all access to his mailbox was refused. After looking through the logs I found an entry "Unknown password scheme xxxx", where "xxxx" is the user's password, but without the curly braces. I then browsed through the documentation and there was explained that it is possible to prefix the password with the password scheme in curly braces, like "{PLAIN}xxxx" where xxxx is the password itself.
Manually altering the users password in the database to "{PLAIN}xxxx" (where "xxxx" is the user's password WITH curly braces) fixed this problem for me at this time, but the time a user chooses such a strange password I would have to edit the table again. So in my opinion the {SCHEME}-prefix is not a useful thing. Why would anyone need it, anyway? Shouldn't all passwords have the same scheme which is set in the dovecot.conf file once?
If the feature is indeed used: with a database lookup it should be replaced by an optional database field or, if that's not possible, it should be possible to disable this feature from the config file.
Frank
Regardless of how secure your password file/database might be, it seems like a bad idea to enter users' passwords in plain text. Use something else. With the other schemes it's at least a huge annoyance for an attacker to recover a password. But, you can still easily set the passwords to known values as an administrator. (That's the whole point of a one-way hash like 'crypt' or 'MD5'.)
Best, Ben