[Dovecot] Storing passwords encrypted... bcrypt?

Michael Orlitzky michael at orlitzky.com
Thu Jan 5 17:28:26 EET 2012


On 01/05/12 06:26, Charles Marcus wrote:
> 
>> To prevent rainbow table attacks, salt your passwords. You can make them
>> a little bit more difficult in plenty of ways, but salt is the
>> /solution/.
> 
> Go read that link (you obviously didn't yet, because he claims that
> salting passwords is next to *useless*...
>

He doesn't claim that, but he's a crackpot anyway.

Use a slow algorithm (others already mentioned bcrypt) to prevent
brute-force search, and use salt to prevent pre-computed lookups. Anyone
who tells you otherwise can probably be ignored. Extraordinary claims
require extraordinary evidence.



>> You realize they're just walking around with a $400 post-it note with
>> the password written on it, right?
> 
> Nope, you are wrong - as I have patiently explained before. They do not
> *need* to write their password down.
> 

They have them written down on their phones. If someone gets a hold of
the phone, he can just read the password off of it.



More information about the dovecot mailing list