Hi. Am Montag 12 Juli 2010, 14:42:14 schrieb Mihamina Rakotomandimby: > I have an old Courier authing against a MySQL database. > Currently, passwords are cleartext in the database and > it's time to switch to at least crypt()'d passes. > > Do you think my current version of Courier and Courier-authmysql > will support this? It's running on a Debian Etch.
Courier (-authlib) uses the crypt() sytem call, defined in glibc, to crypt and check passwords. The traditional crypt() implementation is outdated for ages and should never be used anywhere (limits to 8 chars of password!). It does not improve your security in a significant manner. On every current system (including debian etch), the crypt() call is mainly used to generate hased passwords in more modern hash variants. New systems work with sha512 by default, older system with md5. Don't know what's the state of Debian etch. Just look into your /etc/shadow file and check the password hash string of a currently changed password: Does it start with $1$, it's MD5, Does it start with $6$, it's sha512. You should use the most modern, supported hash algorithm. You can use "userdbpw -md5" to generate MD5 passwords. If you're coding a transistion programm yourself, the crypt() system call can be used to hash the passwords. Do not use MySQL's hash functions, the format is different.
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
