[Dovecot] Storing passwords encrypted... bcrypt?

Charles Marcus CMarcus at Media-Brokers.com
Thu Jan 5 13:24:26 EET 2012 

On 2012-01-03 8:37 PM, David Ford <david at blue-labs.org> wrote:
> part of my point along that of brute force resistance, is that
> when security becomes onerous to the typical user such as requiring
> non-repeat passwords of "10 characters including punctuation and mixed
> case", even stalwart policy followers start tending toward avoiding it.

Our policy is that we also don't force password changes unless/until 
there is a reason (an account is hacked/abused.

I've been managing this mail system for 11+ years now, and this has 
*never* happened (knock wood). I'm not saying we're immune, or it can 
never happen, I'm simply saying it has never happened, so out policy is 
working as far as I'm concerned.

> if anyone has a stressful job, spends a lot of time working, missing
> sleep, is thereby prone to memory lapse, it's almost a sure guarantee
> they *will* write it down/store it somewhere -- usually not in a
> password safe.

Again - there is no *need* form them to write it down. Once their 
workstation/home computer/phone is set up, it remembers the password for 
them.

> or, they'll export their saved passwords to make a backup plain text
> copy, and leave it on their Desktop folder but coyly named and
> prefixed with a few random emails to grandma, so mr. sysadmin doesn't
> notice it.

And if I don't notice it, no one else will either, most likely.

There is *no* perfect way, but ours works and has been working for 11+ 
years.

> on a tangent, you should worry about active brute force attacks.
> fail2ban and iptables heuristics become meaningless when the brute
> forcing is done by bot nets which is more and more common than
> single-host attacks these days.  one IP per attempt in a 10-20 minute
> window will probably never trigger any of these methods.

Nor will it ever be successful in brute forcing a strong password 
either, because a botnet has to try the same user+different passwords, 
and is easy to monitor for an excessive number of failures (of the same 
user login attempts) and notify the sys admin (me) well in advance of 
the hack attempt being successful.

-- 

Best regards,

Charles

More information about the dovecot mailing list