Changing email password storage format
Dear all,
Assume a Debian installation running Dovecot and Postfix. So
Dovecot authenticates users from the data in MySQL. Postfix
authenticates users using Dovecot. Credentials are stored in a
MySQL database in the crypt form (DES).
Disadvantages of crypt are:
- no salt
- password truncation after 8 characters
I want to upgrade the password storage from crypt to SSHA512,
which makes hashes harder to crack in case the hashes get stolen.
bcrypt/scrypt would be even better, although Dovecot does not seem
to support these natively (am I right here?).
Anyway:
In order to convert the hashes, I need the cleartext passwords. So one
idea would be to tell Dovecot to spit out the cleartext password when
a user authenticates via POP or IMAP. Do you know of any such
functionality?
Another approach would be to do some PAM hacking and change
Dovecot so that it authenticates over PAM. An intermediate (maybe
custom) PAM module would then grab the password and store its
SSHA512 hash in a new db field of that particular user. After a while,
I could delete the old crypt hashes and switch over to SSHA512.
So before I start hacking something together, I wanted to ask if anyone
already knows a solution for this? Given the recent large password
leaks (e.g. Linkedin), a few others probably thought about this. See
Table I in http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf
Thanks,
Sebastian
Reply to: