[Dovecot] Storing passwords encrypted... bcrypt?
patrickdk at patrickdk.com
Thu Jan 5 16:53:38 EET 2012
Quoting Noel Butler <noel.butler at ausics.net>:
> On Thu, 2012-01-05 at 04:05 +0100, Pascal Volk wrote:
>> On 01/05/2012 03:36 AM Noel Butler wrote:
>> > Because with multiple servers, we store them all in (replicated)
>> > mysql :) (the same with postfix/dovecot).
>> > and as I'm sure you are aware, Apache does not understand standard
>> > crypted MD5, hence why there is the second option of apache_md5_crypt()
>> Oh, let me guess: You are using Windows, Netware, TPF as OS for your
>> web servers? ;-)
>> man htpasswd | grep -- '-d '
>> -d Use crypt() encryption for passwords. This is not
>> supported by the httpd server on Windows and Netware and TPF.
>> As you may have seen in my previous mail, the password is generated
>> using crypt(). HTTP Authentication works with that password hash, even
>> with the httpd from the ASF.
> I think you need to do some homework, and although I now have 3.25 days
> of holidays remaining, I don't intend to waste them educating anybody
> hehe. Assuming you even know what I'm talking about, which I suspect you
> don't since you keep using console commands and things like htpasswd,
> which does not write to a mysql db, you don't seem to have comprehended
> that I do not work with flat files nor local so it is irrelevant, I use
> perl scripts for all systems management, so I hope you are not going to
> suggest that I should make a system call when I can do it natively in
> But please, by all means, create a mysql db using a system crpyted md5
> password, I'll even help ya, openssl passwd -1 foobartilly
> pop the entry into the db and go for your life trying to authenticate.
> and when you've gone through half bottle of bourbon trying to figure out
> why its not working, try the apache crypted md5 version $apr1$yKxk.DrQ
Mysql supports crypt right in it, so you can just submit the password
to the mysql crypt function. We know perl has to support it also.
The first thing I did when I was hired was to convert the password
database from md5 to $6$. After that, I secured the machines that
could and majorly limited what ones of them could get access to the
list. About a month or two after this, we had about a thousand
accounts compromised. So someone obviously got the list in how the old
system was set, as every compromised password contains only lowercase
letters less than 8 long.
I wont say salted anything is bad, but keep the salt lengths up. Start
with 8bytes atleast.
crypts new option to support rounds also makes it a lot of fun, too
bad I haven't seen consistant support for it yet, so I haven't been
able to make use of that option.
More information about the dovecot