Blowfish hashed passwords
Patrick Domack
patrickdk at patrickdk.com
Sat Jun 4 13:53:49 UTC 2016
Quoting KT Walrus <kevin at my.walr.us>:
> (I subscribed to a daily digest for this list and can’t figure out
> how to reply to a reply.)
>
> Anyway, Aki Tuomi replied to my feature request saying:
>
>> We support in latest 2.2 release
>>
>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT
>> SHA512-CRYPT
>>
>> There is also blowfish support as BLF-CRYPT, but that requires that your
>> system supports it. CRYPT supports whatever your crypt() supports.
>>
>
> The reason I suggest building in fallback hash type support is that
> my install of Dovecot on Ubuntu 14.04 didn’t support SHA512-CRYPT or
> BLF-CRYPT.
>
> If Dovecot just included the PHP .c files to make sure it can
> process Blowfish/SHA512 password hashes on all installs, it would
> greatly simplify adding Dovecot as a service for my existing user
> accounts (without forcing them to give their password for the site
> so I can generate new hashes in a form that Dovecot supports).
> SHA256-CRYPT is probably my best option for password hashing since
> it supports ROUNDS to make hash generation slower. But, I would
> rather use BLF-CRYPT so I can re-use my existing hashes for my user
> accounts.
I would love to know why your ubuntu 14.04 system doesn't support
sha512-crypt.
My dovecot installs have only ever used sha512-crypt since 2008. Been
using ubuntu since 7.04 with sha512-crypt, and my current systems
running 14.04 and 16.04 both use sha512-crypt.
The default password hash for system user accounts in ubuntu has been
sha512-crypt for a very long time now.
More information about the dovecot
mailing list