Headsup on feature removal - password

Hendrik Boom hendrik at topoi.pooq.com
Wed Mar 18 15:51:51 EET 2020


Was there any reason for this message to be HTML-only?

On Wed, Mar 18, 2020 at 07:13:12AM +0200, Aki Tuomi wrote:
> <!doctype html>
> <html>
>  <head> 
>   <meta charset="UTF-8"> 
>  </head>
>  <body>
>   <div>
>    <br>
>   </div>
>   <blockquote type="cite">
>    <div>
>     On 18/03/2020 00:06 Rupert Gallagher <ruga at protonmail.com> wrote:
>    </div>
>    <div>
>     <br>
>    </div>
>    <div>
>     <br>
>    </div>
>    <br>> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5
>    <br>
>    <br>The web is flooded with plain text passwords and hashed passwords harvested from hacked servers. 
>    <br>
>    <br>Dovecot stores passwords with the same scheme used for client authentication.
>    <br>
>    <br>Therefore, we use crammd5/hmac-md5. It does not look like much, but is better than plaintext. 
>    <br>
>    <br>As md5 is about to go, and I have no intention to store passwords in plaintext, I need to split the scheme used to store passwords from the scheme used for authentication, and migrate storage from md5 to bcrypt.
>    <br>
>    <br>Since this is not possible, I think I will drop passwords entirely and use certificates.
>    <br>
>    <br>
>   </blockquote>
>   <div>
>    <br>
>   </div>
>   <div>
>    We are not removing CRAM-MD5/DIGEST-MD5/S-CRAM-SHA-1 or S-CRAM-SHA-256. Also just plain MD5 is still staying.
>   </div>
>   <div class="io-ox-signature">
>    <pre>---
> Aki Tuomi</pre>
>   </div> 
>  </body>
> </html>


More information about the dovecot mailing list