Hello, Thanks. The other utility I would be using is the Roundcube webmail password plugin. Still trying to figure the best option.
More opinions? Thanks. Dave. On 6/24/23, Robert Lister <r...@lentil.org> wrote: > > I did a similar upgrade, and now in the process of migrating from > SHA512-CRYPT > to BLF-CRYPT with an appropriately set rounds, as I think the default > rounds > is a little low. > > A good write-up on migrating passwords and calculating the rounds: > https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/ > > > I would take into consideration the following factors when deciding the > hashing algo. > > 1. Other tools/scripts that need to update or check passwords in the > database, > for example: > - roundcube webmail has a plugin to allow users to change their > password > using a variety of methods. > - postfixadmin > > For a long time, bcrypt wasn't natively supported by either the > version of php > or underlying OS libs, so these tools had to rely on calling "doveadm > pw " > to generate BLF-CRYPT hashes. And assumed that doveadm was available > on the same server as it. > > The latest versions support bcrypt and newer hashing algos natively. > > Some tools might rely on the database (mysql/mariadb) to hash > passwords, so > this may also be a consideration. > > 2. Server load / libs: > > - The Dovecot docs: > https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ > has this to say on ARGON2I/ARGON2ID: > > "Argon2 is the winner of password hashing competition held at July > 2015. The password will > start with $argon2i$ or $argon2id$. You can use -r to tune > computational complexity, > minimum is 3. ARGON2ID is only available if your libsodium is > recent enough. > ARGON2 can require quite a hefty amount of virtual memory, so we > recommend that you set > service auth { vsz_limit = 2G } at least, or more." > > There's a good write up of considering the various algos: > > https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html > > I considered BLF-CRYPT (for the time being) to be strong enough and a > good balance between compatibility, strength and server load, given the > number of users etc. > > Rob > > > On 2023-06-23 02:14, David Mehler wrote: >> Hello, >> >> I'm migrating to a new server. It's running Debian 11 currently though >> that's going 12 this weekend. Currently it uses Openssl v3.0.9, and >> dovecot 2.3.13 and MySQL (in this case Mariadb) for storing user >> account information v10.6.14. My question is in regards password >> storage and scheme/encryption/salts. >> >> Currently they are stored in Mariadb password field with a type of >> varchar and a 255 character length, and are stored as SHA512-CRYPT. >> I'm wondering if I should keep this as is or when I migrate go to >> another scheme? I'm thinking argon2i, argon2d, argon2id, sha512, >> sha512-crypt, tiger2, saltt? > > > -- > Robert Lister - email: r...@lentil.org - tel: 020 7043 7996 > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
