Was there any reason for this message to be HTML-only?
On Wed, Mar 18, 2020 at 07:13:12AM +0200, Aki Tuomi wrote:
<html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 18/03/2020 00:06 Rupert Gallagher <ruga@protonmail.com> wrote: </div> <div> <br> </div> <div> <br> </div> <br>> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5 <br> <br>The web is flooded with plain text passwords and hashed passwords harvested from hacked servers. <br> <br>Dovecot stores passwords with the same scheme used for client authentication. <br> <br>Therefore, we use crammd5/hmac-md5. It does not look like much, but is better than plaintext. <br> <br>As md5 is about to go, and I have no intention to store passwords in plaintext, I need to split the scheme used to store passwords from the scheme used for authentication, and migrate storage from md5 to bcrypt. <br> <br>Since this is not possible, I think I will drop passwords entirely and use certificates. <br> <br> </blockquote> <div> <br> </div> <div> We are not removing CRAM-MD5/DIGEST-MD5/S-CRAM-SHA-1 or S-CRAM-SHA-256. Also just plain MD5 is still staying. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>