Was just perusing this article about how trivial it is to decrypt
passwords that are stored using most (standard) encryption methods (like
MD5), and was wondering - is it possible to use bcrypt with
dovecot+postfix+mysql (or posgres)?
Ooop... forgot the link:
http://codahale.com/how-to-safely-store-a-password/
AFAIK, that web page is correct in a relative sense, but getting bcrypt
support might not be the most urgent priority.
In his description, he uses the example of passwords which are
"lowercase, alphanumeric, and 6 characters long" (and in another place
the example is "lowercase, alphabetic passwords which are ≤7
characters", I guess to illustrate that things have gotten faster). If
you are allowing your users to create such weak passwords, using bcrypt
will not save you/them. Attackers will just be wasting more of your CPU
time making attempts. If they get a copy of your hashed passwords,
they'll likely be wasting their own CPU time, but they have plenty of
that, too.
There are plenty of recommendations for what makes a good password /
passphrase. If you are not already enforcing such rules (perhaps also
with a lookaside to one or more of the leaked tables of passwords
floating around), then IMHO that's much more urgent. (One of the best
twists I read somewhere [sorry, I forget where] was to require at least
one uppercase and one digit, but to not count them as fulfilling the
requirement if they were used as the first or last character.)
Side note, but for the sake of precision ... attackers are not literally
decrypting passwords. They are guessing passwords and then performing a
one-way hash to see if they guessed correctly. As a practical matter,
that means that you have to ask your users to update their passwords any
time you change the password storage scheme. (I don't know enough about
bcrypt to know if that would be required if you wanted to simply
increase the work factor.)
