Dovecot has routines for password hashing; two of these, crypt_generate and md5_generate, both use sizeof(salt_chars) when reducing a random string to salt. I became suspicious when I noted that all salts generated are composed only of "./01". Unfortunately salt_char is declared static const char * rather than static const char [], and so sizeof(salt_chars) is the size of a pointer. Recommend: diff -u -r1.8 password-scheme.c --- password-scheme.c 30 May 2004 03:57:15 -0000 1.8 +++ password-scheme.c 23 Jul 2004 17:05:36 -0000 @@ -15,7 +15,7 @@ # include <openssl/sha.h> #endif -static const char *salt_chars = +static const char salt_chars[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; static buffer_t *schemes_buf; joshua. -- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109