Using SHA256/512 for SQL based password

Marc Weustink m.weustink at kolibri-systems.com
Thu Feb 14 15:39:41 EET 2019 

Jean-Daniel Dupas via dovecot wrote:
> 
> 
>> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot 
>> <dovecot at dovecot.org <mailto:dovecot at dovecot.org>> a écrit :
>>
>>
>>
>> On 2/13/19 8:30 AM, Aki Tuomi wrote:
>>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
>>>>
>>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
>>>>>
>>>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
>>>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>>:
>>>>>
>>>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
>>>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
>>>>>>>> I have trying to find how to set the dovecot-sql.conf for using
>>>>>>>> SHA256/512.  I am going to start clean with the stronger format, not
>>>>>>>> migrate from the old MD5.  It seems all I need is:
>>>>>>> you maybe would like to have a look to the hashing algo ARGON2I
>>>>>>> which is
>>>>>>> currently recommended for new developments and deployments.
>>>>>> Recommended by whom?
>>>>>>
>>>>>> Can you provide a link?
>>>>> Sure, please see here:
>>>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
>>>>>
>>>>>>
>>>>>> And if I was adventurous about hashes, I would be looking more at
>>>>>> Keccak.
>>>>>>
>>>>>>
>>>>>> Check out my Internet Draft:
>>>>>>
>>>>>>
>>>>>> draft-moskowitz-small-crypto-00.txt
>>>>> Thanks for the tip, will have a look for into it.
>>>> Keccak is a general hashing function.  It was the first? of the
>>>> hashing 'sponge' functions, that many have followed.  It is the basis
>>>> of SHA3 (at Keccak's greatest strength).
>>>>
>>>> Argon2 seems to be special-built for password hashing.  Thing is it is
>>>> not supported on my CentOS7 system:
>>>>
>>>> # doveadm pw -l
>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
>>>> SHA256-CRYPT SHA512-CRYPT
>>>>
>>>> Of course SHA3 is not listed either...
>>>>
>>>>
>>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
>>> when compiling dovecot, so varying from packagers it might or not be
>>> available. The CRYPT ones are available if crypt(3) supports them. In
>>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
>>
>> CentOS7 is on dovecot 2.2.36:
>>
>> # doveadm pw -s ARGON2-CRYPT -p secret
>> Fatal: Unknown scheme: ARGON2-CRYPT
>> # doveadm pw -s ARGON2 -p secret
>> Fatal: Unknown scheme: ARGON2
>>
>> I tend to stay with the distro's rpms and not take on building and 
>> maintaining myself.
> 
> And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm 
> pw -l )
> 
> With dovecot from the dovecot.org <http://dovecot.org> repo:
> 
> # doveadm pw -s ARGON2I -p secret
> {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Also from dovecot.org <http://dovecot.org> repo:

doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I

????

Marc

More information about the dovecot mailing list