Was there any reason for this message to be HTML-only?
On Wed, Mar 18, 2020 at 07:13:12AM +0200, Aki Tuomi wrote: > <!doctype html> > <html> > <head> > <meta charset="UTF-8"> > </head> > <body> > <div> > <br> > </div> > <blockquote type="cite"> > <div> > On 18/03/2020 00:06 Rupert Gallagher <r...@protonmail.com> wrote: > </div> > <div> > <br> > </div> > <div> > <br> > </div> > <br>> Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, > SMD5 > <br> > <br>The web is flooded with plain text passwords and hashed passwords > harvested from hacked servers. > <br> > <br>Dovecot stores passwords with the same scheme used for client > authentication. > <br> > <br>Therefore, we use crammd5/hmac-md5. It does not look like much, but is > better than plaintext. > <br> > <br>As md5 is about to go, and I have no intention to store passwords in > plaintext, I need to split the scheme used to store passwords from the scheme > used for authentication, and migrate storage from md5 to bcrypt. > <br> > <br>Since this is not possible, I think I will drop passwords entirely and > use certificates. > <br> > <br> > </blockquote> > <div> > <br> > </div> > <div> > We are not removing CRAM-MD5/DIGEST-MD5/S-CRAM-SHA-1 or S-CRAM-SHA-256. > Also just plain MD5 is still staying. > </div> > <div class="io-ox-signature"> > <pre>--- > Aki Tuomi</pre> > </div> > </body> > </html>