[Dovecot] Storing passwords encrypted... bcrypt?

Noel Butler noel.butler at ausics.net
Thu Jan 5 04:31:37 EET 2012


On Wed, 2012-01-04 at 21:06 -0500, Patrick Domack wrote:

> Quoting Noel Butler <noel.butler at ausics.net>:
> 
> > On Tue, 2012-01-03 at 20:58 -0500, Michael Orlitzky wrote:
> >
> >
> >> To prevent rainbow table attacks, salt your passwords. You can make them
> >> a little bit more difficult in plenty of ways, but salt is the /solution/.
> >
> >
> >
> > Agreed...
> > We use  Crypt::PasswdMD5 -
> > unix_md5_crypt()  for all general password storage including mail/ftp
> > etc, except for web, where we need to use apache_md5_crypt().
> 
> But still, the results are all the same, if they get the hash, it can  
> be broken, given time. Using more cpu expensive methods make it take  
> longer (like adding salt, more complex hash). But the end result is  
> they will have it if they want it.
> 
> The only solution is to use two factor authenication, or rotate your  
> passwords quicker than they can get broken.
> 


Yup, anything can be broken, given time and resources, no mater what,
but using crypted MD5 is better than using normal md5 (like sadly way
too many use) and having easy rainbow attacks succeed in mere seconds. 

No mater how good your database security is, always assume the worse,
too many think that a DB compromise just can't happen to them, and as
murphy's law shows, their usually the ones it does happen to.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20120105/36edd410/attachment-0004.bin>


More information about the dovecot mailing list