How To Create Virtual Accounts with CRAM-MD5
Linked by Thom Holwerda on Tue 10th Nov 2009 16:10 UTC, submitted by a_weber42
Privacy, Security, Encryption "The major disadvantage of PLAIN text passwords on the server of course is that they are readable. Even if your communication with the server is encrypted it is troubling to have readable passwords on the server. You can easily change this by using the dovecotpw command and creating encrypted passwords."
E-mail Print r 0   3 Comment(s) http://osne.ws/hc7
Order by: Score:
Add Comment Post a Comment
MD5 not good
by Meor on Tue 10th Nov 2009 17:20 UTC
Meor
Member since:
2006-09-29

MD5 is not sufficient for any situation where there could be an adversary. http://www.mscs.dal.ca/~selinger/md5collision/ Use SHA-256 or the like. MD5 can only be useful when checking for errors when no attacker is suspected.

Reply Score: 3

RE: MD5 not good
by ghen on Wed 11th Nov 2009 12:42 UTC in reply to "MD5 not good"
ghen Member since:
2005-08-31

How are collisions relevant in this discussion? Hashing passwords is just about making them non-recoverable in case the password database leaks, nothing more.

Reply Score: 2

RE[2]: MD5 not good
by renhoek on Thu 12th Nov 2009 20:59 UTC in reply to "RE: MD5 not good"
renhoek Member since:
2007-04-29

No, it's not relevant since it's challenge-response. Collisions are only relevant if you know the output the server wants to see.

But using MD5 for security should raise the big red flag of bad ideas.

Anyway, wikipedia lists some (imho) major issues with cram-md5 :

http://en.wikipedia.org/wiki/CRAM-MD5#Protocol_Weaknesses

Reply Score: 2

Add Comment Post a Comment