-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, Feb 13, 2010 at 10:09:34PM -0200, Leonardo Rodrigues wrote:
The idea of salted hash algorithms is to generate a different hash evenif the same text is entered. That can be easily seen with dovecotpw:
I don't know about dovecot's algorithm especially, but the idea about salt is that you store the salt along with the password (typically the few first chars, say two). And indeed, if you compare the lengths of your unsalted vs. salted variants:
unsalted:
pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM= salted: FpJZqafpEVKp2heepp9Z7+OeHaX+DBVpLzd6GKg3BW1XqDS0
there seem to be a couple of chars more in the salted variant. The algorithm for checking is just: cut off the salt, merge with provided password, digest (SHA), compare to stored hashed password.
but i'm having a hard time trying to figure out how my dovecot-sql.confwould be in the case i store salted SHA256 passwords on the database. The idea is to use a RANDOM salt, not a fixed one, just like dovecotpw does.
would it be as simple as changing the 'password', which today isplaintext, by something like
concat('{SHA256}',password) ???
dont i have to give the salt, somehow ?? Or should i store the saltused in the password, for example first or last N characters ....
No, just let Dovecot's algorithm do the generation (and later checking) of the password? (I might be misunderstanding your problem, though).
Regards
- -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLd54DBcgs9XrR2kYRAnUGAJwOjHhCdhOZCMH/5YkFnQbXq7satQCfTNbn 8v9/1zO1R64StmAFF/vV5so= =KbUx -----END PGP SIGNATURE-----