Sebastian <deb...@really-force.net> wrote:
> Assume a Debian installation running Dovecot and Postfix.

> I want to upgrade the password storage from crypt to SSHA512,
> which makes hashes harder to crack in case the hashes get stolen.
> bcrypt/scrypt would be even better, although Dovecot does not seem
> to support these natively (am I right here?).

That may depend on which version of Dovecot you're running:
  - http://wiki2.dovecot.org/Authentication/PasswordSchemes
  - http://wiki.dovecot.org/Authentication/PasswordSchemes


> In order to convert the hashes, I need the cleartext passwords. So one
> idea would be to tell Dovecot to spit out the cleartext password when
> a user authenticates via POP or IMAP. Do you know of any such 
> functionality?

On my implementation, setting auth_debug_password=yes may well generate
passwords in the logfile. (It's supposed to write them only on a
password mismatch, but I get them since I've got two authentication
sources enabled and mostly only one of them has matching data.)


> So before I start hacking something together, I wanted to ask if anyone
> already knows a solution for this? Given the recent large password
> leaks (e.g. Linkedin), a few others probably thought about this. See
> Table I in http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf

Given these leaks, you really need to ask whether you want to be
collecting plain text passwords. Maybe you should provide a "reset
password" function and push people to use that. (Looking at the scheme
label prefixing each password will allow you to determine who has upgraded
and who hasn't.)

Chris


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/f29mh9xbv5....@news.roaima.co.uk

Reply via email to