Sebastian <deb...@really-force.net> wrote: > Assume a Debian installation running Dovecot and Postfix.
> I want to upgrade the password storage from crypt to SSHA512, > which makes hashes harder to crack in case the hashes get stolen. > bcrypt/scrypt would be even better, although Dovecot does not seem > to support these natively (am I right here?). That may depend on which version of Dovecot you're running: - http://wiki2.dovecot.org/Authentication/PasswordSchemes - http://wiki.dovecot.org/Authentication/PasswordSchemes > In order to convert the hashes, I need the cleartext passwords. So one > idea would be to tell Dovecot to spit out the cleartext password when > a user authenticates via POP or IMAP. Do you know of any such > functionality? On my implementation, setting auth_debug_password=yes may well generate passwords in the logfile. (It's supposed to write them only on a password mismatch, but I get them since I've got two authentication sources enabled and mostly only one of them has matching data.) > So before I start hacking something together, I wanted to ask if anyone > already knows a solution for this? Given the recent large password > leaks (e.g. Linkedin), a few others probably thought about this. See > Table I in http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf Given these leaks, you really need to ask whether you want to be collecting plain text passwords. Maybe you should provide a "reset password" function and push people to use that. (Looking at the scheme label prefixing each password will allow you to determine who has upgraded and who hasn't.) Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f29mh9xbv5....@news.roaima.co.uk
