[Dovecot] Storing passwords encrypted... bcrypt?
Patrick Domack
patrickdk at patrickdk.com
Thu Jan 5 04:06:44 EET 2012
Quoting Noel Butler <noel.butler at ausics.net>:
> On Tue, 2012-01-03 at 20:58 -0500, Michael Orlitzky wrote:
>
>
>> To prevent rainbow table attacks, salt your passwords. You can make them
>> a little bit more difficult in plenty of ways, but salt is the /solution/.
>
>
>
> Agreed...
> We use Crypt::PasswdMD5 -
> unix_md5_crypt() for all general password storage including mail/ftp
> etc, except for web, where we need to use apache_md5_crypt().
But still, the results are all the same, if they get the hash, it can
be broken, given time. Using more cpu expensive methods make it take
longer (like adding salt, more complex hash). But the end result is
they will have it if they want it.
The only solution is to use two factor authenication, or rotate your
passwords quicker than they can get broken.
More information about the dovecot
mailing list