MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN

Nick Edwards nick.z.edwards at gmail.com
Sat Dec 6 01:35:58 UTC 2014


On 12/5/14, ML mail <mlnospam at yahoo.com> wrote:
> Hello,
>
> I am wondering which variant is more secure for user authentication and
> password scheme. Basically I am looking at both variants:
>
> 1) MD5-CRYPT password scheme storage with CRAM-MD5 auth mechanism
> 2) SHA512-CRYPT password scheme storage with PLAIN auth mechanism
>
> In my opinion the option 2) should be safer although it is using PLAIN auth
> mechanism. Of course I would always use STARTTLS and not allow unencrypted
> connection.

Thats not exactly a true statement, if you offer STARTTLS you are
optional on encryption, if you mean not allow unencrypted connections
then you are forcing TLS, not STARTTLS since the latter is designed to
accept unencrypted and then _try_ upgrade to encryption if possible,
if not, stay unencrypted.

>
> What is your opinion?
>
Number 2  as the other poster said without hesitation and for reasons he said


More information about the dovecot mailing list