[Dovecot] Storing passwords encrypted... bcrypt?

[Charles Marcus]

On 2012-01-05 11:21 AM, Willie Gillespie <wgillespie at es2eng.com> wrote:
> If the phone knows the password and I have the phone, then I have the
> password. Similarly, if I compromise the workstation that knows the
> password, then I also have the password.

Interesting... I thought they were stored encrypted. I definitely use a 
(strong) Master Password in Thunderbird to protect the passwords, so it 
would take some doing on the workstations.

> Even if the user doesn't know the password, the phone/workstation does.
> And it has to be stored in a retrievable way.

Yes, if an attacker has unfettered physical access to the 
workstation/phone, it can be compromised...

> That's what he's trying to say when he was talking about a "$400 post-it
> note."

Got it...

As I said, there is no perfect system... but ours has worked well in the 
11+ years we've been doing it this way.

-- 

Best regards,

Charles