Dear all, Assume a Debian installation running Dovecot and Postfix. So Dovecot authenticates users from the data in MySQL. Postfix authenticates users using Dovecot. Credentials are stored in a MySQL database in the crypt form (DES).
Disadvantages of crypt are: - no salt - password truncation after 8 characters I want to upgrade the password storage from crypt to SSHA512, which makes hashes harder to crack in case the hashes get stolen. bcrypt/scrypt would be even better, although Dovecot does not seem to support these natively (am I right here?). Anyway: In order to convert the hashes, I need the cleartext passwords. So one idea would be to tell Dovecot to spit out the cleartext password when a user authenticates via POP or IMAP. Do you know of any such functionality? Another approach would be to do some PAM hacking and change Dovecot so that it authenticates over PAM. An intermediate (maybe custom) PAM module would then grab the password and store its SSHA512 hash in a new db field of that particular user. After a while, I could delete the old crypt hashes and switch over to SSHA512. So before I start hacking something together, I wanted to ask if anyone already knows a solution for this? Given the recent large password leaks (e.g. Linkedin), a few others probably thought about this. See Table I in http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf Thanks, Sebastian -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/d2a69881-ae45-47c8-a26e-4cf3b19bf...@really-force.net
