Re: Password encription

Aki Tuomi

25 Oct 2017 25 Oct '17

12:11 p.m.

SHA512-CRYPT and PLAIN/LOGIN with SSL. ---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" j.emerlik@gmail.com Date: 25/10/2017 12:07 (GMT+02:00) To: Aki Tuomi aki.tuomi@dovecot.fi Cc: Dovecot Mailing List dovecot@dovecot.org Subject: Re: Password encription What scheme and mechanism do you recommend?

2017-10-25 11:01 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...

CRAM-MD5 should not be used. Its not terribly secure.

---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" j.emerlik@gmail.com Date: 25/10/2017 11:58 (GMT+02:00) To: Aki Tuomi aki.tuomi@dovecot.fi Cc: Dovecot Mailing List dovecot@dovecot.org Subject: Re: Password encription Thx Aki, with CRAP-MD5 as scheme and mechanism it's works corretlly.

2017-10-25 10:52 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...
PLAIN and LOGIN.

Aki Tuomi Dovecot oy

-------- Original message -------- From: "j.emerlik" j.emerlik@gmail.com Date: 25/10/2017 11:41 (GMT+02:00) To: Dovecot Mailing List dovecot@dovecot.org Subject: Password encription

Hi, which authentication mechanism should I use for SHA-256 password schama ? Regards, Jack

Show replies by date

j.emerlik

25 Oct 25 Oct

12:23 p.m.

New subject: Password encription

Form me now is working SHA256-CRYPT and PLAIN/LOGIN with SSL/TLS.

2017-10-25 11:11 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...

SHA512-CRYPT and PLAIN/LOGIN with SSL. ---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" j.emerlik@gmail.com Date: 25/10/2017 12:07 (GMT+02:00) To: Aki Tuomi aki.tuomi@dovecot.fi Cc: Dovecot Mailing List dovecot@dovecot.org Subject: Re: Password encription What scheme and mechanism do you recommend?

2017-10-25 11:01 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...
CRAM-MD5 should not be used. Its not terribly secure.

---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik"
Date: 25/10/2017 11:58 (GMT+02:00) To: Aki Tuomi
Cc: Dovecot Mailing List dovecot@dovecot.org Subject: Re: Password encription Thx Aki, with CRAP-MD5 as scheme and mechanism it's works corretlly.

2017-10-25 10:52 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...
PLAIN and LOGIN.

Aki Tuomi Dovecot oy

-------- Original message -------- From: "j.emerlik" j.emerlik@gmail.com Date: 25/10/2017 11:41 (GMT+02:00) To: Dovecot Mailing List dovecot@dovecot.org Subject: Password encription

Hi, which authentication mechanism should I use for SHA-256 password schama ? Regards, Jack

＠lbutlr

27 Oct 27 Oct

8:37 a.m.

New subject: Password encription

On 25 Oct 2017, at 03:11, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...

SHA512-CRYPT and PLAIN/LOGIN with SSL.

I’m happy with SHA256-CRYPT and PLAIN/LOGIN.

-- Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Aki Tuomi

8:42 a.m.

New subject: Password encription

On 27.10.2017 08:37, @lbutlr wrote:

...

On 25 Oct 2017, at 03:11, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.

Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.

Aki

j.emerlik

9:44 a.m.

New subject: Password encription

Aki, if I understand it well, salt is useful when database is/was stolen ? Then thief can use eg. rainbow tables to decrypt passwords. Regards, Jack

2017-10-27 7:42 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...

On 27.10.2017 08:37, @lbutlr wrote:

...
On 25 Oct 2017, at 03:11, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.

Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.

Aki

Aki Tuomi

9:57 a.m.

New subject: Password encription

The use of salt, today, is to prevent the attacker from directly seeing who has same passwords. Of course it also will make a rainbow table attack less useful, but then again, no one uses rainbow tables anymore since it takes about few minutes to brute force a password in the cloud or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds on dovecot, to make it more computationally expensive, but still it's not very strong protection anymore.

MD5 with or without salt can be attacked at passwords per second speed, so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with MD5 should not be used for passwords these days.

With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and also adding support for ARGON2 when you have libsodium available.

Aki

On 27.10.2017 09:44, j.emerlik wrote:

...

Aki, if I understand it well, salt is useful when database is/was stolen ? Then thief can use eg. rainbow tables to decrypt passwords. Regards, Jack

2017-10-27 7:42 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...
On 27.10.2017 08:37, @lbutlr wrote:

...
On 25 Oct 2017, at 03:11, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.

Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.

Aki

j.emerlik

11:50 a.m.

New subject: Password encription

You mean that today they using encrypted passwords to seeing who has same passwords using brute force, hashes dictionary attack ?

2017-10-27 8:57 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...

The use of salt, today, is to prevent the attacker from directly seeing who has same passwords. Of course it also will make a rainbow table attack less useful, but then again, no one uses rainbow tables anymore since it takes about few minutes to brute force a password in the cloud or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds on dovecot, to make it more computationally expensive, but still it's not very strong protection anymore.

MD5 with or without salt can be attacked at passwords per second speed, so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with MD5 should not be used for passwords these days.

With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and also adding support for ARGON2 when you have libsodium available.

Aki

On 27.10.2017 09:44, j.emerlik wrote:

...
Aki, if I understand it well, salt is useful when database is/was stolen ? Then thief can use eg. rainbow tables to decrypt passwords. Regards, Jack

2017-10-27 7:42 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:

...
On 27.10.2017 08:37, @lbutlr wrote:

...
On 25 Oct 2017, at 03:11, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.

Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.

Aki

2585

Age (days ago)

2587

Last active (days ago)

List overview

6 comments

3 participants

participants (3)

＠lbutlr
Aki Tuomi
j.emerlik