[Dovecot] Custom password encryption scheme, how to do it?
Ed W
lists at wildgooses.com
Tue Oct 2 01:00:01 EEST 2007
> - Generate an initial SHA256 hash out of the password+salt.
> - Re-hash the initial SHA256 hash many thousands of times.
As an aside you should do some research to determine if the second of
these steps adds any value. I don't believe that there is a known way
to reverse an SHA256 hash, and if one is discovered it's not immediately
obvious that the technique would not break the case of it being applied
multiple times...
Also the keyspace of a password with say 8 alphanumeric chars is very
much smaller than an SHA256 space, so you have a big bruteforce issue
already
Basically it's not immediately obvious that step 2 adds any or at least
significant value. Perhaps instead use a larger salt?
If you are using sql lookups then of course you can code all kinds of
stuff as part of the lookup...
Good luck
Ed W
More information about the dovecot
mailing list