Server migration, password scheme/hashing, argon2i, argon2d, argon2id, sha512, sha512-crypt, tiger2, salt?
Hello,
I'm migrating to a new server. It's running Debian 11 currently though that's going 12 this weekend. Currently it uses Openssl v3.0.9, and dovecot 2.3.13 and MySQL (in this case Mariadb) for storing user account information v10.6.14. My question is in regards password storage and scheme/encryption/salts.
Currently they are stored in Mariadb password field with a type of varchar and a 255 character length, and are stored as SHA512-CRYPT. I'm wondering if I should keep this as is or when I migrate go to another scheme? I'm thinking argon2i, argon2d, argon2id, sha512, sha512-crypt, tiger2, saltt?
Discussion/opinions welcome. Thanks. Dave.
I did a similar upgrade, and now in the process of migrating from SHA512-CRYPT to BLF-CRYPT with an appropriately set rounds, as I think the default rounds is a little low.
A good write-up on migrating passwords and calculating the rounds: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixad...
I would take into consideration the following factors when deciding the hashing algo.
Other tools/scripts that need to update or check passwords in the database, for example: password
- roundcube webmail has a plugin to allow users to change their
using a variety of methods.
- postfixadmin
For a long time, bcrypt wasn't natively supported by either the version of php or underlying OS libs, so these tools had to rely on calling "doveadm pw " to generate BLF-CRYPT hashes. And assumed that doveadm was available on the same server as it.
The latest versions support bcrypt and newer hashing algos natively.
Some tools might rely on the database (mysql/mariadb) to hash passwords, so this may also be a consideration.
Server load / libs:
The Dovecot docs: https://doc.dovecot.org/configuration_manual/authentication/password_schemes... has this to say on ARGON2I/ARGON2ID:
"Argon2 is the winner of password hashing competition held at July
The password will start with $argon2i$ or $argon2id$. You can use -r to tune computational complexity, minimum is 3. ARGON2ID is only available if your libsodium is recent enough. ARGON2 can require quite a hefty amount of virtual memory, so we recommend that you set service auth { vsz_limit = 2G } at least, or more."
There's a good write up of considering the various algos:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet....
I considered BLF-CRYPT (for the time being) to be strong enough and a good balance between compatibility, strength and server load, given the number of users etc.
Rob
On 2023-06-23 02:14, David Mehler wrote:
Hello,
I'm migrating to a new server. It's running Debian 11 currently though that's going 12 this weekend. Currently it uses Openssl v3.0.9, and dovecot 2.3.13 and MySQL (in this case Mariadb) for storing user account information v10.6.14. My question is in regards password storage and scheme/encryption/salts.
Currently they are stored in Mariadb password field with a type of varchar and a 255 character length, and are stored as SHA512-CRYPT. I'm wondering if I should keep this as is or when I migrate go to another scheme? I'm thinking argon2i, argon2d, argon2id, sha512, sha512-crypt, tiger2, saltt?
-- Robert Lister - email: robl@lentil.org - tel: 020 7043 7996
Hello,
Thanks. The other utility I would be using is the Roundcube webmail password plugin. Still trying to figure the best option.
More opinions? Thanks. Dave.
On 6/24/23, Robert Lister robl@lentil.org wrote:
I did a similar upgrade, and now in the process of migrating from SHA512-CRYPT to BLF-CRYPT with an appropriately set rounds, as I think the default rounds is a little low.
A good write-up on migrating passwords and calculating the rounds: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixad...
I would take into consideration the following factors when deciding the hashing algo.
Other tools/scripts that need to update or check passwords in the database, for example: password
- roundcube webmail has a plugin to allow users to change their
using a variety of methods.
- postfixadmin
For a long time, bcrypt wasn't natively supported by either the version of php or underlying OS libs, so these tools had to rely on calling "doveadm pw " to generate BLF-CRYPT hashes. And assumed that doveadm was available on the same server as it.
The latest versions support bcrypt and newer hashing algos natively.
Some tools might rely on the database (mysql/mariadb) to hash passwords, so this may also be a consideration.
Server load / libs:
The Dovecot docs: https://doc.dovecot.org/configuration_manual/authentication/password_schemes... has this to say on ARGON2I/ARGON2ID:
"Argon2 is the winner of password hashing competition held at July
The password will start with $argon2i$ or $argon2id$. You can use -r to tune computational complexity, minimum is 3. ARGON2ID is only available if your libsodium is recent enough. ARGON2 can require quite a hefty amount of virtual memory, so we recommend that you set service auth { vsz_limit = 2G } at least, or more."
There's a good write up of considering the various algos:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet....
I considered BLF-CRYPT (for the time being) to be strong enough and a good balance between compatibility, strength and server load, given the number of users etc.
Rob
On 2023-06-23 02:14, David Mehler wrote:
Hello,
I'm migrating to a new server. It's running Debian 11 currently though that's going 12 this weekend. Currently it uses Openssl v3.0.9, and dovecot 2.3.13 and MySQL (in this case Mariadb) for storing user account information v10.6.14. My question is in regards password storage and scheme/encryption/salts.
Currently they are stored in Mariadb password field with a type of varchar and a 255 character length, and are stored as SHA512-CRYPT. I'm wondering if I should keep this as is or when I migrate go to another scheme? I'm thinking argon2i, argon2d, argon2id, sha512, sha512-crypt, tiger2, saltt?
-- Robert Lister - email: robl@lentil.org - tel: 020 7043 7996
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Should work then if you have roundcube 1.6.x and php8.2 which is also the bookworm package version.
Depends on your server spec / number of users if you use argon2 over bcrypt.
One approach might be to just migrate all users to BLF-CRYPT anyway, and then set the recommended dovecot member settings and selectively change a few users to ARGON2ID to see the impact. If you stored both hashes in the database, this would allow you to switch back.
If someone gained write access to the database somehow, they could possibly replace user's password hash with a new one, thereby allowing them to gain access to user accounts.
Two-factor authentication of course is the way to go with roundcube, but by default, there's nothing stopping access using the same credentials via IMAP/Submission without the 2FA, so roundcube 2FA isn't effective by itself if users also have access to IMAP/Submission.
I improved things a bit by using roundcube plugins:-
mmvi/twofactor_webauthn - FIDO2/webauthn 2FA.
And: https://github.com/openSUSE/ap4rc
I modified it a bit to allow using the same username and added some features to it: https://github.com/listerr/ap4rc/tree/last-access
Ultimately the goal is to eliminate passwords using OAUTH2 etc but not quite there yet.
R.
On 2023-06-24 14:54, David Mehler wrote:
Hello,
Thanks. The other utility I would be using is the Roundcube webmail password plugin. Still trying to figure the best option.
More opinions? Thanks. Dave.
-- Robert Lister - email: robl@lentil.org - tel: 020 7043 7996
participants (2)
-
David Mehler
-
Robert Lister