MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
Jan Wideł
jan.widel at networkers.pl
Sat Dec 6 05:56:00 UTC 2014
On 12/06/2014 02:35 AM, Nick Edwards wrote:
> On 12/5/14, ML mail <mlnospam at yahoo.com> wrote:
>> Hello,
>>
>> I am wondering which variant is more secure for user authentication and
>> password scheme. Basically I am looking at both variants:
>>
>> 1) MD5-CRYPT password scheme storage with CRAM-MD5 auth mechanism
>> 2) SHA512-CRYPT password scheme storage with PLAIN auth mechanism
>>
>> In my opinion the option 2) should be safer although it is using PLAIN auth
>> mechanism. Of course I would always use STARTTLS and not allow unencrypted
>> connection.
>
> Thats not exactly a true statement, if you offer STARTTLS you are
> optional on encryption, if you mean not allow unencrypted connections
> then you are forcing TLS, not STARTTLS since the latter is designed to
> accept unencrypted and then _try_ upgrade to encryption if possible,
> if not, stay unencrypted.
If you add disable_plaintext_auth=yes ssl=required settings, then
dovecot will drop authentication without STARTTLS. But damage will be
done, client will send unencrypted (or in this scenario MD5 or SHA512
hash) login/password.
http://wiki2.dovecot.org/SSL
>> What is your opinion?
>>
> Number 2 as the other poster said without hesitation and for reasons he said
+1
--
Jan Wideł
Senior System Administrator
e-mail: jan.widel at networkers.pl
mobile: +48 797 004 946
www: http://www.networkers.pl
GPG: http://networkers.pl/GPG/2E7359CD.asc
More information about the dovecot
mailing list