Using SHA256/512 for SQL based password
Robert Moskowitz
rgm at htt-consult.com
Wed Feb 13 16:03:26 EET 2019
On 2/13/19 8:30 AM, Aki Tuomi wrote:
> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
>>
>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
>>>
>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
>>> <rgm at htt-consult.com>:
>>>
>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
>>>>>> I have trying to find how to set the dovecot-sql.conf for using
>>>>>> SHA256/512. I am going to start clean with the stronger format, not
>>>>>> migrate from the old MD5. It seems all I need is:
>>>>> you maybe would like to have a look to the hashing algo ARGON2I
>>>>> which is
>>>>> currently recommended for new developments and deployments.
>>>> Recommended by whom?
>>>>
>>>> Can you provide a link?
>>> Sure, please see here:
>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
>>>
>>>>
>>>> And if I was adventurous about hashes, I would be looking more at
>>>> Keccak.
>>>>
>>>>
>>>> Check out my Internet Draft:
>>>>
>>>>
>>>> draft-moskowitz-small-crypto-00.txt
>>> Thanks for the tip, will have a look for into it.
>> Keccak is a general hashing function. It was the first? of the
>> hashing 'sponge' functions, that many have followed. It is the basis
>> of SHA3 (at Keccak's greatest strength).
>>
>> Argon2 seems to be special-built for password hashing. Thing is it is
>> not supported on my CentOS7 system:
>>
>> # doveadm pw -l
>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
>> SHA256-CRYPT SHA512-CRYPT
>>
>> Of course SHA3 is not listed either...
>>
>>
> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
> when compiling dovecot, so varying from packagers it might or not be
> available. The CRYPT ones are available if crypt(3) supports them. In
> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
I just found an Argon2 binary for CentOS7:
Installing:
argon2 armv7hl 20161029-2.el7 epel 22 k
Installing for dependencies:
libargon2 armv7hl 20161029-2.el7 epel 26 k
How do I get Dovecot 2.2 to use it?
More information about the dovecot
mailing list