Need help in understanding auth digest-md5 and realm

Alex JOST jost+lists at dimejo.at
Sat Oct 28 13:24:06 EEST 2017


Am 28.10.2017 um 08:30 schrieb Admin Beckspaced:
> 
> 
> On 27.10.2017 20:35, Aki Tuomi wrote:
>>> On October 27, 2017 at 6:00 PM Admin Beckspaced 
>>> <admin at beckspaced.com> wrote:
>>>
>>>
>>> Hello dovecot community,
>>> ...
>>>
>>> If someone could shed some light on this I would be more than 
>>> grateful ;)
>>>
>>> Thanks & greetings
>>> Becki
>> We actually discovered that Android has a bug with DIGEST-MD5, which 
>> Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really 
>> good idea with SSL anyways.
>>
>> Aki
>>
>>
> Hello Aki,
> thanks for your reply ... so if there's a bug which Google won't fix 
> it's perhaps best to not offer digest-md5?
> what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 with 
> SSL?

Those methods encrypt the password itself which was a good thing back in 
the days when most connections were unencrypted. The disadvantage is 
that they require the password to be saved in cleartext.

If you can enforce an encrypted connection it is better to use 
PLAIN/LOGIN and save the passwords as hashes (preferably with salts).

-- 
Alex JOST


More information about the dovecot mailing list