[Dovecot] Storing passwords encrypted... bcrypt?
David Ford
david at blue-labs.org
Wed Jan 4 00:35:14 EET 2012
On 01/03/2012 05:30 PM, Charles Marcus wrote:
> On 2012-01-03 5:10 PM, WJCarpenter <bill-dovecot at carpenter.org> wrote:
>> In his description, he uses the example of passwords which are
>> "lowercase, alphanumeric, and 6 characters long" (and in another place
>> the example is "lowercase, alphabetic passwords which are ≤7
>> characters", I guess to illustrate that things have gotten faster). If
>> you are allowing your users to create such weak passwords, using bcrypt
>> will not save you/them. Attackers will just be wasting more of your CPU
>> time making attempts. If they get a copy of your hashed passwords,
>> they'll likely be wasting their own CPU time, but they have plenty of
>> that, too.
>
> I require strong passwords of 15 characters in length. Whats more,
> they are assigned (by me), and the user cannot change it. But, he
> isn't talking about brute force attacks against the server. He is
> talking about if someone gained access to the SQL database where the
> passwords are stored (as has happened countless times in the last few
> years), and then had the luxury of brute forcing an attack locally (on
> their own systems) against your password database.
when it comes to brute force, passwords like "51k$jh#21hiaj2" are
significantly weaker than "wePut85umbrellasIn2shoes". considerably
difficult for humans which makes them far more likely to write it on a
sticky and make it handily available.
More information about the dovecot
mailing list