Re: Password encription
SHA512-CRYPT and PLAIN/LOGIN with SSL. ---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" <j.emerlik@gmail.com> Date: 25/10/2017 12:07 (GMT+02:00) To: Aki Tuomi <aki.tuomi@dovecot.fi> Cc: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: Password encription What scheme and mechanism do you recommend?
2017-10-25 11:01 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
CRAM-MD5 should not be used. Its not terribly secure.
---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" <j.emerlik@gmail.com> Date: 25/10/2017 11:58 (GMT+02:00) To: Aki Tuomi <aki.tuomi@dovecot.fi> Cc: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: Password encription Thx Aki, with CRAP-MD5 as scheme and mechanism it's works corretlly.
2017-10-25 10:52 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
PLAIN and LOGIN.
Aki Tuomi Dovecot oy
-------- Original message -------- From: "j.emerlik" <j.emerlik@gmail.com> Date: 25/10/2017 11:41 (GMT+02:00) To: Dovecot Mailing List <dovecot@dovecot.org> Subject: Password encription
Hi, which authentication mechanism should I use for SHA-256 password schama ? Regards, Jack
Form me now is working SHA256-CRYPT and PLAIN/LOGIN with SSL/TLS.
2017-10-25 11:11 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
SHA512-CRYPT and PLAIN/LOGIN with SSL. ---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" <j.emerlik@gmail.com> Date: 25/10/2017 12:07 (GMT+02:00) To: Aki Tuomi <aki.tuomi@dovecot.fi> Cc: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: Password encription What scheme and mechanism do you recommend?
2017-10-25 11:01 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
CRAM-MD5 should not be used. Its not terribly secure.
---Aki TuomiDovecot oy -------- Original message --------From: "j.emerlik" <j.emerlik@gmail.com
Date: 25/10/2017 11:58 (GMT+02:00) To: Aki Tuomi <aki.tuomi@dovecot.fi
Cc: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: Password encription Thx Aki, with CRAP-MD5 as scheme and mechanism it's works corretlly.
2017-10-25 10:52 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
PLAIN and LOGIN.
Aki Tuomi Dovecot oy
-------- Original message -------- From: "j.emerlik" <j.emerlik@gmail.com> Date: 25/10/2017 11:41 (GMT+02:00) To: Dovecot Mailing List <dovecot@dovecot.org> Subject: Password encription
Hi, which authentication mechanism should I use for SHA-256 password schama ? Regards, Jack
On 27.10.2017 08:37, @lbutlr wrote:
On 25 Oct 2017, at 03:11, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.
Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.
Aki
Aki, if I understand it well, salt is useful when database is/was stolen ? Then thief can use eg. rainbow tables to decrypt passwords. Regards, Jack
2017-10-27 7:42 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On 27.10.2017 08:37, @lbutlr wrote:
On 25 Oct 2017, at 03:11, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.
Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.
Aki
The use of salt, today, is to prevent the attacker from directly seeing who has same passwords. Of course it also will make a rainbow table attack less useful, but then again, no one uses rainbow tables anymore since it takes about few minutes to brute force a password in the cloud or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds on dovecot, to make it more computationally expensive, but still it's not very strong protection anymore.
MD5 with or without salt can be attacked at passwords per second speed, so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with MD5 should not be used for passwords these days.
With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and also adding support for ARGON2 when you have libsodium available.
Aki
On 27.10.2017 09:44, j.emerlik wrote:
Aki, if I understand it well, salt is useful when database is/was stolen ? Then thief can use eg. rainbow tables to decrypt passwords. Regards, Jack
2017-10-27 7:42 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On 27.10.2017 08:37, @lbutlr wrote:
On 25 Oct 2017, at 03:11, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.
Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.
Aki
You mean that today they using encrypted passwords to seeing who has same passwords using brute force, hashes dictionary attack ?
2017-10-27 8:57 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
The use of salt, today, is to prevent the attacker from directly seeing who has same passwords. Of course it also will make a rainbow table attack less useful, but then again, no one uses rainbow tables anymore since it takes about few minutes to brute force a password in the cloud or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds on dovecot, to make it more computationally expensive, but still it's not very strong protection anymore.
MD5 with or without salt can be attacked at passwords per second speed, so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with MD5 should not be used for passwords these days.
With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and also adding support for ARGON2 when you have libsodium available.
Aki
On 27.10.2017 09:44, j.emerlik wrote:
Aki, if I understand it well, salt is useful when database is/was stolen ? Then thief can use eg. rainbow tables to decrypt passwords. Regards, Jack
2017-10-27 7:42 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On 27.10.2017 08:37, @lbutlr wrote:
On 25 Oct 2017, at 03:11, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
SHA512-CRYPT and PLAIN/LOGIN with SSL. I’m happy with SHA256-CRYPT and PLAIN/LOGIN.
Yes. SHA256-CRYPT is good too. It was just recommendation over using CRAM-MD5, use anything with salt.
Aki
participants (3)
-
@lbutlr
-
Aki Tuomi
-
j.emerlik