[Dovecot] salted passwords
Leonardo Rodrigues
leolistas at solutti.com.br
Sun Aug 1 02:06:52 EEST 2010
Em 31/07/2010 18:51, Patrick Westenberg escreveu:
> Leonardo Rodrigues schrieb:
>>
>> that's all because i already have a account manager system,
>> written on PHP, which i had to kept. So i was trying to understand
>> how that's work to make it work on my system i couldnt stop using.
>>
>> but after some tryings i got everything running. All my passwords
>> were already migrated from plaintext to Salted-SHA2-256.
>
> Hi Leonardo,
>
> can you tell me how you solved your problem with creating salted
> passwords via PHP?
>
Hi .... yes i've acchieved some PHP routines for creating the
salted SHA256 password with random salt and also comparing a stored
hashed password with a plaintext supplied one.
encoded passwords will be exited as:
{SSHA256.HEX}acf5ce0f51cca2077e27884a7cec385c430bb402c2f961b02bfa779c18aaf9a373772d99
encoded password strings is 85-char length with the SSHA.256 prefix and
72 without it
as i'm storing passwords with the SSHA256.HEX prefix, my dovecot
conf has:
default_pass_scheme = PLAIN
so i can have any dovecot-supported encoded password on the
database as well as plaintext ones
code may not be very beautiful, i do admit that i'm not good on
making beautiful codes .... but its working nice in several places :)
http://pastebin.com/fzDGE561
the VerifyHashedPassword routine can receive passwords with the
{SSHA256.HEX} string and without as well. That makes easier to just
compare database stored passwords as well as the newly generated ones to
compare with newly encoded ones based on the plaintext supplied.
usage is pretty simple .... something like:
$hashedpwd = HashedPassword($plainpwd);
and store $hashedpwd whatever you want to store it
checking the stored password against a supplied password would be
something like:
if ( VerifyHashedPassword($hashedpwd,$plainpwd) )
{
// supplied plaintext password MATCH with supplied hashed password
do whatever you want if passwords matches
} else {
// supplied plaintext password DO NOT MATCH with supplied hashed
password
do whatever you want if passwords DO NOT match
}
Hope this helps you :)
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes at solutti.com.br
My SPAMTRAP, do not email it
More information about the dovecot
mailing list