On 2/5/16 1:44 PM, Jan Parcel via Cyrus-devel wrote:
On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:

This used to be possible using DIGEST-MD5, where the server stores
MD5(username:realm:password) instead of the plaintext password. This
is still a password equivalent, but only for the same realm (where you
can define the realm as a single host, or service, or company, or...).

Well, since md5 is now considered weak, that does not appear to be a loss.

MD5 isn't (AFAIK) vulnerable in this context, but DIGEST-MD5 had other issues (see RFC 6331). SCRAM is the better replacement.

--
Carson


Reply via email to