On 2012-01-04 8:19 PM, Pascal Volk user+dovecot@localhost.localdomain.org wrote:
On 01/03/2012 09:40 PM Charles Marcus wrote:
Hi everyone,
Was just perusing this article about how trivial it is to decrypt passwords that are stored using most (standard) encryption methods (like MD5), and was wondering - is it possible to use bcrypt with dovecot+postfix+mysql (or posgres)?
Yes it is possible to use bcrypt with dovecot. Currently you have only to write your password scheme plugin. The bcrypt algorithm is described at http://en.wikipedia.org/wiki/Bcrypt.
If you are using Dovecot>= 2.0 'doveadm pw' supports the schemes: *BSD: Blowfish-Crypt *Linux (since glibc 2.7): SHA-256-Crypt and SHA-512-Crypt Some distributions have also added support for Blowfish-Crypt See also: doveadm-pw(1)
If you are using Dovecot< 2.0 you can also use any of the algorithms supported by your system's libc. But then you have to prefix the hashes with {CRYPT} - not {{BLF,SHA256,SHA512}-CRYPT}.
Hmmm... thanks very much Pascal, I think that gets me half-way to an answer (but since ianap, this is mostly greek to me and so is not quite a solution I can implement yet)...
You said above that 'yes, I can use it with dovecot' - but what about postfix and mysql... where/how do they fit into this mix? My thought was that there are two issues here:
Storing them in bcrypted form, and
The clients must support *decrypting* them...
So, since I use postfixadmin, I'm guessing that for #1, it will have to support encrypting them in bcrypt form, and then I have to worry about dovecot - and since I'm planning on using postfix+dovecot-sasl, once dovecot supports it, postfix will too...
Is that about right?
Thanks again,
--
Best regards,
Charles