[Dovecot] Storing passwords encrypted... bcrypt?
Charles Marcus
CMarcus at Media-Brokers.com
Wed Jan 4 03:25:02 EET 2012
On 2012-01-03 6:12 PM, WJCarpenter <bill-dovecot at carpenter.org> wrote:
> On 1/3/2012 2:38 PM, Simon Brereton wrote:
>> http://xkcd.com/936/
>
> As they saying goes, entropy ain't what it used to be.
>
> https://www.grc.com/haystack.htm
>
> However, both links actually illustrate the same point: once you get
> past dictionary attacks, the length of the password is dominant factor
> in the strength of the password against brute force attack.
I think ya'll are missing the point... not sure, because I'm still not
completely sure that this is saying what I think it is saying (that's
why I asked)...
I'm not worried about *active* brute force attacks against my server
using the standard smtp or imap protocols - fail2ban takes care of those
in a hurry.
What I'm worried about is the worst case scenario of someone getting
ahold of the entire user database of *stored* passwords, where they can
then take their time and brute force them at their leisure, on *their*
*own* systems, without having to hammer my server over smtp/imap and
without the automated limit of *my* fail2ban getting in their way.
As for people writing their passwords down... our policy is that it is a
potentially *firable* *offense* (never even encountered one case of
anyone posting their password, and I'm on these systems off and on all
the time) if they do post these anywhere that is not under lock and key.
Also, I always set up their email clients for them (on their
workstations and on their phones - and of course tell it to remember the
password, so they basically never have to enter it.
--
Best regards,
Charles
More information about the dovecot
mailing list