[Dovecot] Authentication mechanism and Password scheme
Good day! I'm just trying to figure out that my understanding of subject is correct.
So, if I want to store passwords in my database encrypted with SSHA512 scheme, my only choice for Authentication mechanism is plaintext?
Thanks in advance!
-- С уважением, Костырев Александр системный администратор ЗАО "Сервер-Центр" тел.: (423) 262-02-62 (доб. 2037) факс: (423) 262-02-10
On 10.4.2012, at 5.37, Костырев Александр Алексеевич wrote:
Good day! I'm just trying to figure out that my understanding of subject is correct.
So, if I want to store passwords in my database encrypted with SSHA512 scheme, my only choice for Authentication mechanism is plaintext?
Yeah, that's correct.
On 10/04/2012 08:11, Timo Sirainen wrote:
On 10.4.2012, at 5.37, Костырев Александр Алексеевич wrote:
Good day! I'm just trying to figure out that my understanding of subject is correct.
So, if I want to store passwords in my database encrypted with SSHA512 scheme, my only choice for Authentication mechanism is plaintext? Yeah, that's correct.
Does dovecot 2.0 also support SCRAM-SHA?
I only mention because it's come up on my radar recently and as I understand it, it solves the issue of either having
- plain text db of passwords, encrypted login
- encrypted db of passwords, plaintext login
With SCRAM you have both sides "encrypted".
(Clearly it's also desirable that the hash algorithm is well chosen to be resistant to bruteforce, so some might argue that bcrypt/scrypt is even more desirable since there is not yet a GPU implementation - However, at least SHA is a decent stab at things)
Can you confirm my understanding is correct?
Next question is whether any current mail client supports SCRAM..?
Regards
Ed W
On 10.4.2012, at 19.35, Ed W wrote:
Does dovecot 2.0 also support SCRAM-SHA?
v2.1 does.
I only mention because it's come up on my radar recently and as I understand it, it solves the issue of either having
- plain text db of passwords, encrypted login
- encrypted db of passwords, plaintext login
With SCRAM you have both sides "encrypted".
The same way as with DIGEST-MD5 and several others. Each mechanism requires that the server-side password is saved using a hash specific to that auth mechanism, none of them support generic MD5/SHA/etc hashes or other mechanisms' hashes. Looks like Dovecot's current SCRAM-SHA1 supports only plaintext passwords, but it would be possible to add SCRAM-SHA1 password scheme similar to others.
participants (3)
-
Ed W
-
Timo Sirainen
-
Костырев Александр Алексеевич