Re: most secure password scheme

2017-04-29 Thread David Mehler 
Hello,

Thanks for the explanation. So should I go with SSHA512 or
SHA512-CRYPT? From your explanation i'm interpreting to mean that
SHA512-CRYPT also salts. This is for storing in a mysql database.
Also, what should the password field length and type be set for?
Currently it's varchar(128)

Thanks.
Dave.


On 4/29/17, Aki Tuomi  wrote:
>
>> On April 29, 2017 at 4:22 AM David Mehler  wrote:
>>
>>
>> Hello,
>>
>> I have a few questions on password schemes. Is SHA512 the most secure?
>> Is there a difference between SHA512 and SHA512-CRYPT? What about
>> SSHA512 and SSH512-CRYPT?
>>
>> Is there a problem with this sql statement:
>>
>> UPDATE virtual_users SET password=CONCAT(‘{SHA256-CRYPT}’, ENCRYPT
>> (‘Password Goes Here’, CONCAT(‘$5$’, SUBSTRING(SHA(RAND()), -16
>> WHERE user=’u...@example.com’;
>>
>> I'm getting an error 1064 at the ending email address.
>>
>> Thanks.
>> Dave.
>
> SSHA512 is salted SHA512, SHA512-CRYPT is crypt(3) compatible salted hash.
> PCKS5 or SHA512-CRYPT with over 1000 rounds is probably very secure, but
> SHA512-CRYPT is also good. Using SHA512 is not recommended, as it's unsalted
> hash.
>
> If ENCRYPT is same as crypt(3) then you can try put rounds into salt, like
> "$6$rounds=4000$s9Zc4OA11IuLt/iV$".
>
> Aki
>

Re: Dovecot last_login plugin and Mysql

2017-04-29 Thread Aki Tuomi 
I tried with following config, and it seems to work at least for me:

map {
  pattern = shared/last-login/$user
  table = users
  value_field = last_login
  value_type = uint

  fields {
userid = $user
  }
}

last_login and userid are SQL table's field name.

Aki

> On April 29, 2017 at 4:28 AM David Mehler  wrote:
> 
> 
> Hi,
> 
> Thanks for the pointing out of the oops! I missed that. Don't worry
> that has been changed.
> 
> Any suggestions on my issue?
> 
> Thanks.
> Dave.
> 
> 
> On 4/28/17, David Mehler  wrote:
> > Hi,
> >
> > OOPS! I missed that one and it was big.
> >
> > Changing now.
> >
> > Thanks.
> > Dave.
> >
> >
> > On 4/28/17, Noel Butler  wrote:
> >> umm
> >>
> >> It's usually a good idea to redact user and passwords for databases,
> >> even if only local socket ;)
> >>
> >> I suggest you change it ASAP.
> >>
> >> On 29/04/2017 10:53, David Mehler wrote:
> >>
> >>> Hello,
> >>>
> >>> Here is the requested file:
> >>>
> >>> driver = mysql
> >>> connect = host=/tmp/mysql.sock dbname=mail user=mail_admin
> >>> password=MainBoard55
> >>>
> >>> # Last Login
> >>> map {
> >>> pattern = shared/last-login/$user
> >>> table = virtual_users
> >>> username_field = user
> >>> value_field = lastlogin
> >>> fields {
> >>> user = $user
> >>> }
> >>> }
> >>>
> >>> Thanks.
> >>> Dave.
> >>>
> >>> On 4/28/17, Aki Tuomi  wrote:
> >>> On April 29, 2017 at 12:29 AM David Mehler 
> >>> wrote:
> >>>
> >>> Hello,
> >>>
> >>> Trying to implement lastlogin via mysql. I'm getting an unknown column
> >>> username which I don't get. Here's the log:
> >>>
> >>> Apr 28 17:18:15 ohio dovecot: imap-login: Login:
> >>> user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
> >>> mpid=16257, secured, session=
> >>>
> >>> Apr 28 17:18:15 ohio dovecot: dict(17099): Error: sql dict: commit
> >>> failed: Unknown column 'username' in 'field list'
> >>>
> >>> Apr 28 17:18:15 ohio dovecot: imap(u...@example.com): Error:
> >>> dict-client: server returned failure: 1493414295 (reply took 0.026
> >>> secs)
> >>>
> >>> Apr 28 17:18:15 ohio dovecot: imap(u...@example.com): Error:
> >>> last_login_dict: Failed to write value for user u...@example.com
> >>>
> >>> You can configure all this in dovecot-dict-sql.conf, which you have not
> >>> provided. The actual column names are defined there.
> >>>
> >>> Aki
> >>
> >> --
> >> Kind Regards,
> >>
> >> Noel Butler
> >>
> >>This Email, including any attachments, may contain legally 
> >> privileged
> >> information, therefore remains confidential and subject to copyright
> >> protected under international law. You may not disseminate, discuss, or
> >> reveal, any part, to anyone, without the authors express written
> >> authority to do so. If you are not the intended recipient, please notify
> >> the sender then delete all copies of this message including attachments,
> >> immediately. Confidentiality, copyright, and legal privilege are not
> >> waived or lost by reason of the mistaken delivery of this message. Only
> >> PDF [1] and ODF [2] documents accepted, please do not send proprietary
> >> formatted documents
> >>
> >>
> >>
> >> Links:
> >> --
> >> [1] http://www.adobe.com/
> >> [2] http://en.wikipedia.org/wiki/OpenDocument
> >

Re: most secure password scheme

2017-04-29 Thread Aki Tuomi 

> On April 29, 2017 at 4:22 AM David Mehler  wrote:
> 
> 
> Hello,
> 
> I have a few questions on password schemes. Is SHA512 the most secure?
> Is there a difference between SHA512 and SHA512-CRYPT? What about
> SSHA512 and SSH512-CRYPT?
> 
> Is there a problem with this sql statement:
> 
> UPDATE virtual_users SET password=CONCAT(‘{SHA256-CRYPT}’, ENCRYPT
> (‘Password Goes Here’, CONCAT(‘$5$’, SUBSTRING(SHA(RAND()), -16
> WHERE user=’u...@example.com’;
> 
> I'm getting an error 1064 at the ending email address.
> 
> Thanks.
> Dave.

SSHA512 is salted SHA512, SHA512-CRYPT is crypt(3) compatible salted hash. 
PCKS5 or SHA512-CRYPT with over 1000 rounds is probably very secure, but 
SHA512-CRYPT is also good. Using SHA512 is not recommended, as it's unsalted 
hash.

If ENCRYPT is same as crypt(3) then you can try put rounds into salt, like 
"$6$rounds=4000$s9Zc4OA11IuLt/iV$".

Aki