Using SHA256/512 for SQL based password

Wed Feb 13 17:53:44 EET 2019


> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot <dovecot at dovecot.org> a écrit :
> 
> 
> 
> On 2/13/19 8:30 AM, Aki Tuomi wrote:
>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
>>> 
>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
>>>> 
>>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
>>>> <rgm at htt-consult.com>:
>>>> 
>>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
>>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
>>>>>>> I have trying to find how to set the dovecot-sql.conf for using
>>>>>>> SHA256/512.  I am going to start clean with the stronger format, not
>>>>>>> migrate from the old MD5.  It seems all I need is:
>>>>>> you maybe would like to have a look to the hashing algo ARGON2I
>>>>>> which is
>>>>>> currently recommended for new developments and deployments.
>>>>> Recommended by whom?
>>>>> 
>>>>> Can you provide a link?
>>>> Sure, please see here:
>>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
>>>> 
>>>>> 
>>>>> And if I was adventurous about hashes, I would be looking more at
>>>>> Keccak.
>>>>> 
>>>>> 
>>>>> Check out my Internet Draft:
>>>>> 
>>>>> 
>>>>> draft-moskowitz-small-crypto-00.txt
>>>> Thanks for the tip, will have a look for into it.
>>> Keccak is a general hashing function.  It was the first? of the
>>> hashing 'sponge' functions, that many have followed.  It is the basis
>>> of SHA3 (at Keccak's greatest strength).
>>> 
>>> Argon2 seems to be special-built for password hashing.  Thing is it is
>>> not supported on my CentOS7 system:
>>> 
>>> # doveadm pw -l
>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
>>> SHA256-CRYPT SHA512-CRYPT
>>> 
>>> Of course SHA3 is not listed either...
>>> 
>>> 
>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
>> when compiling dovecot, so varying from packagers it might or not be
>> available. The CRYPT ones are available if crypt(3) supports them. In
>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
> 
> CentOS7 is on dovecot 2.2.36:
> 
> # doveadm pw -s ARGON2-CRYPT -p secret
> Fatal: Unknown scheme: ARGON2-CRYPT
> # doveadm pw -s ARGON2 -p secret
> Fatal: Unknown scheme: ARGON2
> 
> I tend to stay with the distro's rpms and not take on building and maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org repo: 

# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190213/2c79a1c0/attachment.html>