[Dovecot] Storing passwords encrypted... bcrypt?

[WJCarpenter]

>> Was just perusing this article about how trivial it is to decrypt
>> passwords that are stored using most (standard) encryption methods (like
>> MD5), and was wondering - is it possible to use bcrypt with
>> dovecot+postfix+mysql (or posgres)?
>
> Ooop... forgot the link:
>
> http://codahale.com/how-to-safely-store-a-password/

AFAIK, that web page is correct in a relative sense, but getting bcrypt 
support might not be the most urgent priority.

In his description, he uses the example of passwords which are 
"lowercase, alphanumeric, and 6 characters long" (and in another place 
the example is "lowercase, alphabetic passwords which are ≤7 
characters", I guess to illustrate that things have gotten faster).  If 
you are allowing your users to create such weak passwords, using bcrypt 
will not save you/them.  Attackers will just be wasting more of your CPU 
time making attempts.  If they get a copy of your hashed passwords, 
they'll likely be wasting their own CPU time, but they have plenty of 
that, too.

There are plenty of recommendations for what makes a good password / 
passphrase.  If you are not already enforcing such rules (perhaps also 
with a lookaside to one or more of the leaked tables of passwords 
floating around), then IMHO that's much more urgent.  (One of the best 
twists I read somewhere [sorry, I forget where] was to require at least 
one uppercase and one digit, but to not count them as fulfilling the 
requirement if they were used as the first or last character.)

Side note, but for the sake of precision ... attackers are not literally 
decrypting passwords.  They are guessing passwords and then performing a 
one-way hash to see if they guessed correctly.  As a practical matter, 
that means that you have to ask your users to update their passwords any 
time you change the password storage scheme.  (I don't know enough about 
bcrypt to know if that would be required if you wanted to simply 
increase the work factor.)