Re: [Dovecot] Weird Authentication behaviour
Reindl Harald h.rei...@thelounge.net writes: frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 10 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack (Off-topic) Not that I disagree with the conclusion that 8 character passwords are weak by todays standards, but there seems to be something wrong with your generator (weak PRNG? limited character set?). 13 collisions in 10^5 passwords is terrible, even by 1980 Unix standards. The keyspace for an 8-character alphanumeric password is 62^8, and assuming a random selection of keys, you would need to generate 17,397,806 keys before expecting a 50% probability of finding one collision: (Ref: http://en.wikipedia.org/wiki/Birthday_problem#Cast_as_a_collision_problem) p=0.5, d=62^8, n=sqrt(2*62^8*log(1/(1-0.5)) ~= 1.7E7 A hash collision (again, assuming crypt is a halfway decent hasher) is even more unlikely, as the hash space is even larger (4096 salts * 64^11). Jiri Bourek added Yes, AFAIK DES encryption is obsolete for very long time and if you know hash, it's quite easy to generate a secret which will match the hash ... Quite easy? Maybe if you could find a crypt rainbow tables for crypt(). Go ahead and invert LXE5F6d8FPOa.. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Weird Authentication behaviour
Am 27.03.2014 11:27, schrieb Joseph Tam: Reindl Harald h.rei...@thelounge.net writes: frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 10 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack (Off-topic) Not that I disagree with the conclusion that 8 character passwords are weak by todays standards, but there seems to be something wrong with your generator (weak PRNG? limited character set?). 13 collisions in 10^5 passwords is terrible, even by 1980 Unix standards * Intel IvyBridge with rngd * haveged -w 3072 -v 1 * SURELY a limited character set because mail-clients don't handle any char $internal_random = openssl_random_pseudo_bytes(15) . microtime() . serialize($_SERVER) . serialize($_REQUEST) . serialize($_ENV) . uniqid('', true) . openssl_random_pseudo_bytes(15) * that is not the problem and a lot of high random crap * but you can't use that for passwords * after hash_pbkdf2('sha256', $internal_random, mcrypt_create_iv(16, MCRYPT_DEV_URANDOM), 20, $length) you are limited to low chars and number, so you need to randomly uppercase some chars and randomly insert acceptable special chars like array('_','#','*','-','','!','?','.',',','=') signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Weird Authentication behaviour
On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote: Hi guys, we use dovecot 2.0.9 and authentication against a mysql database. Everything works fine, but we found some weird behavior – when the password is e.g. “testpass” you also authenticate successfully with “testpass123” or “testpassNOT”. Whatever comes after the correct password doesn’t matter, the authentication is still successful. .. default_pass_scheme = CRYPT http://wiki2.dovecot.org/Authentication/PasswordSchemes -- CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. pass = vpvKh.SaNbR6s) Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page. *The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored.* Other schemes may have other password length limitations (if they limit the password length at all).
Re: [Dovecot] Weird Authentication behaviour
Am 24.03.2014 12:47, schrieb Gedalya: On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote: we use dovecot 2.0.9 and authentication against a mysql database. Everything works fine, but we found some weird behavior – when the password is e.g. “testpass” you also authenticate successfully with “testpass123” or “testpassNOT”. Whatever comes after the correct password doesn’t matter, the authentication is still successful. .. default_pass_scheme = CRYPT http://wiki2.dovecot.org/Authentication/PasswordSchemes -- CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. pass = vpvKh.SaNbR6s) Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page. *The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored.* Other schemes may have other password length limitations (if they limit the password length at all) my passwords have 19 chars and my linux login does not accept only the first 8 ones, that's the state for many years now frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 10 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack GENERATED: 10 COLLISIONS: 13 signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Weird Authentication behaviour
Reindl Harald wrote: Am 24.03.2014 12:47, schrieb Gedalya: On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote: we use dovecot 2.0.9 and authentication against a mysql database. Everything works fine, but we found some weird behavior – when the password is e.g. “testpass” you also authenticate successfully with “testpass123” or “testpassNOT”. Whatever comes after the correct password doesn’t matter, the authentication is still successful. .. default_pass_scheme = CRYPT http://wiki2.dovecot.org/Authentication/PasswordSchemes -- CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. pass = vpvKh.SaNbR6s) Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page. *The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored.* Other schemes may have other password length limitations (if they limit the password length at all) my passwords have 19 chars and my linux login does not accept only the first 8 ones, that's the state for many years now Because libc's crypt() was extended to support other encryption algorithms and your distribution chose to use them. (in Debian see for example /etc/login.defs, variable ENCRYPT_METHOD) That doesn't change the fact you can still use crypt() with DES encryption. For example, htpasswd still does that by default (or at least was doing that few months ago), you can recofigure your Linux login to do it as well and obviously you can configure Dovecot the same way. frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 10 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack GENERATED: 10 COLLISIONS: 13 Yes, AFAIK DES encryption is obsolete for very long time and if you know hash, it's quite easy to generate a secret which will match the hash (so security-wise database with DES encrypted passwords is pretty much no better than database with plaintext passwords) For the author of top post: Dovecot does what you told it to do. If you want to change this, it'll be a bit of a problem. If you by any chance have plaintext passwords for your accounts (and you shouldn't have them), you can pass them to doveadm pw -s SHA512-CRYPT -p plaintext and store what comes out to your DB. If you don't have them, there's a way using postlogin script - http://wiki2.dovecot.org/PostLoginScripting , see http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes This method will however convert scheme for _first_ password that allows someone to login. So you can expect complaints from your users who use their account from two devices with different passwords (with difference after 8th character.) They will login from one device, password scheme changes and the other device will be locked out.