[Dovecot] Storing passwords encrypted... bcrypt?
Michael Orlitzky
michael at orlitzky.com
Thu Jan 5 17:28:26 EET 2012
On 01/05/12 06:26, Charles Marcus wrote:
>
>> To prevent rainbow table attacks, salt your passwords. You can make them
>> a little bit more difficult in plenty of ways, but salt is the
>> /solution/.
>
> Go read that link (you obviously didn't yet, because he claims that
> salting passwords is next to *useless*...
>
He doesn't claim that, but he's a crackpot anyway.
Use a slow algorithm (others already mentioned bcrypt) to prevent
brute-force search, and use salt to prevent pre-computed lookups. Anyone
who tells you otherwise can probably be ignored. Extraordinary claims
require extraordinary evidence.
>> You realize they're just walking around with a $400 post-it note with
>> the password written on it, right?
>
> Nope, you are wrong - as I have patiently explained before. They do not
> *need* to write their password down.
>
They have them written down on their phones. If someone gets a hold of
the phone, he can just read the password off of it.
More information about the dovecot
mailing list