Linked by Thom Holwerda on Tue 10th Nov 2009 16:10 UTC, submitted by a_weber42
Privacy, Security, Encryption "The major disadvantage of PLAIN text passwords on the server of course is that they are readable. Even if your communication with the server is encrypted it is troubling to have readable passwords on the server. You can easily change this by using the dovecotpw command and creating encrypted passwords."
Thread beginning with comment 393883
To read all comments associated with this story, please click here.
MD5 not good
by Meor on Tue 10th Nov 2009 17:20 UTC
Meor
Member since:
2006-09-29

MD5 is not sufficient for any situation where there could be an adversary. http://www.mscs.dal.ca/~selinger/md5collision/ Use SHA-256 or the like. MD5 can only be useful when checking for errors when no attacker is suspected.

Reply Score: 3

RE: MD5 not good
by ghen on Wed 11th Nov 2009 12:42 in reply to "MD5 not good"
ghen Member since:
2005-08-31

How are collisions relevant in this discussion? Hashing passwords is just about making them non-recoverable in case the password database leaks, nothing more.

Reply Parent Score: 2

RE[2]: MD5 not good
by renhoek on Thu 12th Nov 2009 20:59 in reply to "RE: MD5 not good"
renhoek Member since:
2007-04-29

No, it's not relevant since it's challenge-response. Collisions are only relevant if you know the output the server wants to see.

But using MD5 for security should raise the big red flag of bad ideas.

Anyway, wikipedia lists some (imho) major issues with cram-md5 :

http://en.wikipedia.org/wiki/CRAM-MD5#Protocol_Weaknesses

Reply Parent Score: 2