The idea of salted hash algorithms is to generate a different hash even if the same text is entered. That can be easily seen with dovecotpw:
using NON-salted SHA256, same hash is generated for a given password[root@correio ~]# dovecotpw -s SHA256 -p 123 {SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM= [root@correio ~]# dovecotpw -s SHA256 -p 123 {SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM= [root@correio ~]# dovecotpw -s SHA256 -p 123 {SHA256}pmWkWSBCL51Bfkhn79xPuKBKHz//H6B+mY6G9/eieuM= [root@correio ~]#
using SALTED SHA256, a different hash is generated for the same given password
[root@correio ~]# dovecotpw -s SSHA256 -p 123 {SSHA256}FpJZqafpEVKp2heepp9Z7+OeHaX+DBVpLzd6GKg3BW1XqDS0 [root@correio ~]# dovecotpw -s SSHA256 -p 123 {SSHA256}6lWmvtO3SKG5RMET5n89WMIp0xeCg3U14xH1xnAXbvkr8Yjk [root@correio ~]# dovecotpw -s SSHA256 -p 123 {SSHA256}7fXVjC7Iiu0Ko9SgyBpbDvbwMSkoxMILRjDUE0nNpCHBFaIa [root@correio ~]#
This ideia is OK to me ...
but i'm having a hard time trying to figure out how my dovecot-sql.conf would be in the case i store salted SHA256 passwords on the database. The idea is to use a RANDOM salt, not a fixed one, just like dovecotpw does.
would it be as simple as changing the 'password', which today is plaintext, by something like
concat('{SHA256}',password) ???
dont i have to give the salt, somehow ?? Or should i store the salt used in the password, for example first or last N characters ....
is there anyone using dovecot with MySQL and SSHA256 passwords that can share me the dovecot-sql.conf file ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it