Using SHA256/512 for SQL based password
Odhiambo Washington
odhiambo at gmail.com
Sun Feb 17 10:38:50 EET 2019
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot <dovecot at dovecot.org>
wrote:
> Jean-Daniel Dupas via dovecot wrote:
> >
> >
> >> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
> >> <dovecot at dovecot.org <mailto:dovecot at dovecot.org>> a écrit :
> >>
> >>
> >>
> >> On 2/13/19 8:30 AM, Aki Tuomi wrote:
> >>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
> >>>>
> >>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
> >>>>>
> >>>>> Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
> >>>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>>:
> >>>>>
> >>>>>> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
> >>>>>>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
> >>>>>>>> I have trying to find how to set the dovecot-sql.conf for using
> >>>>>>>> SHA256/512. I am going to start clean with the stronger format,
> not
> >>>>>>>> migrate from the old MD5. It seems all I need is:
> >>>>>>> you maybe would like to have a look to the hashing algo ARGON2I
> >>>>>>> which is
> >>>>>>> currently recommended for new developments and deployments.
> >>>>>> Recommended by whom?
> >>>>>>
> >>>>>> Can you provide a link?
> >>>>> Sure, please see here:
> >>>>> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
> >>>>>
> >>>>>>
> >>>>>> And if I was adventurous about hashes, I would be looking more at
> >>>>>> Keccak.
> >>>>>>
> >>>>>>
> >>>>>> Check out my Internet Draft:
> >>>>>>
> >>>>>>
> >>>>>> draft-moskowitz-small-crypto-00.txt
> >>>>> Thanks for the tip, will have a look for into it.
> >>>> Keccak is a general hashing function. It was the first? of the
> >>>> hashing 'sponge' functions, that many have followed. It is the basis
> >>>> of SHA3 (at Keccak's greatest strength).
> >>>>
> >>>> Argon2 seems to be special-built for password hashing. Thing is it is
> >>>> not supported on my CentOS7 system:
> >>>>
> >>>> # doveadm pw -l
> >>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
> >>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
> >>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
> >>>> SHA256-CRYPT SHA512-CRYPT
> >>>>
> >>>> Of course SHA3 is not listed either...
> >>>>
> >>>>
> >>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
> >>> when compiling dovecot, so varying from packagers it might or not be
> >>> available. The CRYPT ones are available if crypt(3) supports them. In
> >>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)
> support.
> >>
> >> CentOS7 is on dovecot 2.2.36:
> >>
> >> # doveadm pw -s ARGON2-CRYPT -p secret
> >> Fatal: Unknown scheme: ARGON2-CRYPT
> >> # doveadm pw -s ARGON2 -p secret
> >> Fatal: Unknown scheme: ARGON2
> >>
> >> I tend to stay with the distro's rpms and not take on building and
> >> maintaining myself.
> >
> > And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm
> > pw -l )
> >
> > With dovecot from the dovecot.org <http://dovecot.org> repo:
> >
> > # doveadm pw -s ARGON2I -p secret
> >
> {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
>
> Also from dovecot.org <http://dovecot.org> repo:
>
> doveadm pw -s ARGON2I -p secret
> Fatal: Unknown scheme: ARGON2I
>
> ????
>
> Marc
>
It works for me over here:
[wash at waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190217/cb217f43/attachment-0001.html>
More information about the dovecot
mailing list