[Dovecot] bcypt availability
lists at wildgooses.com
Sun Jul 15 12:14:21 EEST 2012
> On 7/12/12, Nick Edwards <nick.z.edwards at gmail.com> wrote:
>> Dear Timo,
>> Do you intend to introduce bcrypt into the built in password schemes?
>> In lew of all these hacks lately many larger companies appear moving
>> this way, we are looking at it too, but dovecot will then be the
>> weakest link in the database security.
>> So, are you planning on this and if so what sort of timeframe /
>> version would you expect it to be in beta ?
Interestingly, there doesn't seem to be so much difference between
iterated sha-512 (sha512crypt) and bcrypt. Based on looking at latest
john the ripper results (although I'm a bit confused because they don't
seem to quote the baseline results using the normal default number of
So I think right now, many/most modern glibc are shipping with
sha256/512crypt implementations (recently uclibc also added this). A
small number ship with bcrypt (I have a patch for uclibc), which would
mean that dovecot supported bcrypt out of the box.
For everything else I guess you want a small application and use the
checkpass dovecot method to do external checking? You could for example
implement scrypt checking this way (although I think there is a risk of
running out of server ram if you have many simultaneous logins..?)
I previously thought I wanted bcrypt, but after some consideration I
believe sha256/512crypt is likely sufficient for reasonable security
More information about the dovecot