On 27-01-14 02:44, KT Walrus wrote: > I’m thinking of using dbmail in production. One issue I’m having is > that it doesn’t seem to support salted SHA512 passwords. In my other > PHP apps, I use PHP crypt to generate salted passwords: > > $salt=md5(microtime()); $hash=crypt($password, '$6$'.$salt); > > Any chance dbmail could add support for CRYPT_SHA512 password type in > the next version of dbmail?
The man-page is incomplete. DBMail already supports all cyphers supported by mhash. Apart from the ones mentioned in dbmail-users(1) there's also: "whirlpool", "sha512", "sha256", "sha1", "tiger" > I’m no expert at these things, but I’m worried someone will gain > access to my dbmail users table and be able to crack a bunch of > passwords faster because the dbmail passwords aren’t salted. If you're worried about security and cracks, don't use crypt! It's been broken since the early nineties. A salt does *not* add additional protection against password crackers. It just slows them down marginally. http://en.wikipedia.org/wiki/Salt_(cryptography) > Or, am I wrong? I looked at the mhash package that dbmail uses to > encrypt passwords, but it doesn’t seem to be too actively maintained. > Maybe dbmail could switch over to whatever crypt library that PHP > uses? It would help if I could generate passwords from PHP and > update the dbmail db directly for account maintenance. Mhash is unmaintained, but that doesn't mean it's broken. It's effectively kept in working order by the packagers for the distribution you use. PHP also has support for MCrypt, which looks like a fork of MHash. It's last release is from 2008 - with libmcrypt last released in 2007! Not much better than mhash then, is it!? -- ________________________________________________________________ Paul J Stevens pjstevns @ gmail, twitter, github, linkedin * Premium Hosting Services and Web Application Consultancy * www.nfg.nl/[email protected]/+31.85.877.99.97 ________________________________________________________________ _______________________________________________ DBmail mailing list [email protected] http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
