I spent some time on researching what is the best algorithm for passwords. The result seems to be that Blowfish is the way to go. My PHP and Dovecot both support Blowfish (I am using Dovecot for SMTP auth for Postfix).
I would like dbmail to support Blowfish also. In PHP, to generate a Blowfish hash, I am using: $hash=crypt($password, ‘$2y$10$'.$salt); The first $2y$ specifies to only use non-broken Blowfish algorithm and the $10$ specifies the 2^10 iteration count (so you can make the hash take longer to compute). If you do decide to support Blowfish, I suggest you just add a command line option to specify the salt-prefix to crypt pwtype so we can pass in the hash type and iteration count. That way, we could choose other crypt salted password types (like ‘$6$’ which I was using for salted SHA512 passwords before I did my research). Note that on Centos 6.5, I looked at my /etc/shadow file and I see that Centos hashed my passwords with ‘$6$’. I tried to change dbmail-user.c to make this change, but I haven’t figured out what library (or function) to call to do these Blowfish hashes. But, I’m sure it is doable since my PHP support this and I build PHP on the same server as DBMail. I might look into how PHP does this since I build PHP from source. Kevin On Jan 27, 2014, at 2:36 AM, Paul J Stevens <p...@nfg.nl> wrote: > On 27-01-14 02:44, KT Walrus wrote: >> I’m thinking of using dbmail in production. One issue I’m having is >> that it doesn’t seem to support salted SHA512 passwords. In my other >> PHP apps, I use PHP crypt to generate salted passwords: >> >> $salt=md5(microtime()); $hash=crypt($password, '$6$'.$salt); >> >> Any chance dbmail could add support for CRYPT_SHA512 password type in >> the next version of dbmail? > > The man-page is incomplete. DBMail already supports all cyphers > supported by mhash. Apart from the ones mentioned in dbmail-users(1) > there's also: > > "whirlpool", "sha512", "sha256", "sha1", "tiger" > >> I’m no expert at these things, but I’m worried someone will gain >> access to my dbmail users table and be able to crack a bunch of >> passwords faster because the dbmail passwords aren’t salted. > > If you're worried about security and cracks, don't use crypt! It's been > broken since the early nineties. A salt does *not* add additional > protection against password crackers. It just slows them down marginally. > > http://en.wikipedia.org/wiki/Salt_(cryptography) > >> Or, am I wrong? I looked at the mhash package that dbmail uses to >> encrypt passwords, but it doesn’t seem to be too actively maintained. >> Maybe dbmail could switch over to whatever crypt library that PHP >> uses? It would help if I could generate passwords from PHP and >> update the dbmail db directly for account maintenance. > > Mhash is unmaintained, but that doesn't mean it's broken. It's > effectively kept in working order by the packagers for the distribution > you use. > > PHP also has support for MCrypt, which looks like a fork of MHash. It's > last release is from 2008 - with libmcrypt last released in 2007! Not > much better than mhash then, is it!? > > > > > -- > ________________________________________________________________ > Paul J Stevens pjstevns @ gmail, twitter, github, linkedin > > * Premium Hosting Services and Web Application Consultancy * > > www.nfg.nl/i...@nfg.nl/+31.85.877.99.97 > ________________________________________________________________ > _______________________________________________ > DBmail mailing list > DBmail@dbmail.org > http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail _______________________________________________ DBmail mailing list DBmail@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
