[Dovecot] salted passwords

Leonardo Rodrigues leolistas at solutti.com.br
Sun Aug 1 02:06:52 EEST 2010 

Em 31/07/2010 18:51, Patrick Westenberg escreveu:
> Leonardo Rodrigues schrieb:
>>
>>     that's all because i already have a account manager system, 
>> written on PHP, which i had to kept. So i was trying to understand 
>> how that's work to make it work on my system i couldnt stop using.
>>
>>     but after some tryings i got everything running. All my passwords 
>> were already migrated from plaintext to Salted-SHA2-256.
>
> Hi Leonardo,
>
> can you tell me how you solved your problem with creating salted 
> passwords via PHP?
>


     Hi .... yes i've acchieved some PHP routines for creating the 
salted SHA256 password with random salt and also comparing a stored 
hashed password with a plaintext supplied one.

encoded passwords will be exited as:

{SSHA256.HEX}acf5ce0f51cca2077e27884a7cec385c430bb402c2f961b02bfa779c18aaf9a373772d99

encoded password strings is 85-char length with the SSHA.256 prefix and 
72 without it


     as i'm storing passwords with the SSHA256.HEX prefix, my dovecot 
conf has:

default_pass_scheme = PLAIN

     so i can have any dovecot-supported encoded password on the 
database as well as plaintext ones



     code may not be very beautiful, i do admit that i'm not good on 
making beautiful codes .... but its working nice in several places :)

http://pastebin.com/fzDGE561


     the VerifyHashedPassword routine can receive passwords with the 
{SSHA256.HEX} string and without as well. That makes easier to just 
compare database stored passwords as well as the newly generated ones to 
compare with newly encoded ones based on the plaintext supplied.


     usage is pretty simple .... something like:

$hashedpwd = HashedPassword($plainpwd);
and store $hashedpwd whatever you want to store it


     checking the stored password against a supplied password would be 
something like:

if ( VerifyHashedPassword($hashedpwd,$plainpwd) )
{
       // supplied plaintext password MATCH with supplied hashed password
      do whatever you want if passwords matches
} else {
      // supplied plaintext password DO NOT MATCH with supplied hashed 
password
      do whatever you want if passwords DO NOT match
}



     Hope this helps you :)


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

More information about the dovecot mailing list