[Dovecot] Storing passwords encrypted... bcrypt?
Charles Marcus
CMarcus at Media-Brokers.com
Wed Jan 4 00:30:30 EET 2012
On 2012-01-03 5:10 PM, WJCarpenter <bill-dovecot at carpenter.org> wrote:
> In his description, he uses the example of passwords which are
> "lowercase, alphanumeric, and 6 characters long" (and in another place
> the example is "lowercase, alphabetic passwords which are ≤7
> characters", I guess to illustrate that things have gotten faster). If
> you are allowing your users to create such weak passwords, using bcrypt
> will not save you/them. Attackers will just be wasting more of your CPU
> time making attempts. If they get a copy of your hashed passwords,
> they'll likely be wasting their own CPU time, but they have plenty of
> that, too.
I require strong passwords of 15 characters in length. Whats more, they
are assigned (by me), and the user cannot change it. But, he isn't
talking about brute force attacks against the server. He is talking
about if someone gained access to the SQL database where the passwords
are stored (as has happened countless times in the last few years), and
then had the luxury of brute forcing an attack locally (on their own
systems) against your password database.
--
Best regards,
Charles
More information about the dovecot
mailing list