[Dovecot] auth failure
Brian Candler
B.Candler at pobox.com
Fri Jun 11 11:51:35 EEST 2004
On Thu, Jun 10, 2004 at 09:36:48PM -0400, Tom Allison wrote:
> I've created working passwords using 'mkpasswd --hash=md5'
...
> I can login and everything looks pretty cool.
>
> Except, as near as I can tell, I'm sending plaintext authentication over
> the wire. My best guess is that my password gets munged into digest-md5
> format before it goes over the wire.
Those two sentences contradict.
I think you mean you're sending plaintext passwords over the wire; when
received at the server they are MD5-hashed, and compared with the hashed
passwords in your database.
You can check this with tcpdump, dsniff etc.
> At this point I'm of the opinion that I'm reasonably secure.
> True so far?
Depends on your definition of "secure".
Unless running over SSL, you are not secure against sniffers, who can easily
see and re-use your passwords. However someone who breaks into your server
will not have a full table of cleartext passwords, only the hashes. That
means they have to do some work (a dictionary attack) to recover the
passwords. Mind you, given most people's password habits, they'll probably
recover 80% of the passwords within seconds anyway.
Brian.
More information about the dovecot
mailing list