On Thursday, August 18, 2005 at 11:34:16 PM David wrote:
> So since it uses crypt, which isn't md5, there is no way for me to
> convert it to an md5.
It uses crypt() with MD5, if available. But that's not the same as
"only MD5 hashing the password", correct. An not, you can't "convert"
the passwords, as the crypted password is not suitable to figure the
plain text password, needed for creating a plain MD5-hash.
> I guess the best thing to do then is just to store the pw's as plain
> text, then convert them to whatever I need to, to operate with my
> other systems?
Yes, you'd have to store the plain text password (which vpopmail
already does, if './configure'-ed properly) and operate with it, if
your other program(s) can't handle standard crypt()-ed passwords.
> Or is there a patch to have vpopmail store them as md5's?
Not I'm aware of. But honestly: why would you want to give up a good
portion of security by reverting from crypt()-MD5 to "pure MD5"?
crypt(), using MD5, creates much more secure encrypted passwords,
because of the changing SALT, while plain MD5 hashing will create the
same hash over and over again, if several people use the same
password. This is the reason for SALT-ing in crypt(); different
encryption runs on the same password will result in a different
encrypted password-string as a different SALT is used every time. So
an attacker can *not* guess if two passwords are the same by having a
look only at the crypt()-ed version!
Tell your vpopmail to store plain text version of passwords
additional to crypt()-ed version and make your other program(s) work
on that version. If you need a MD5-hashed version it should be rather
easy to patch vpopmail to store this additional value in database
whenever it changes the password, it's just one additional column to
store and vpopmail does not even have to MD5 the string itself, it
just has to insert a value 'MD5("passwd")' in SQL-[INSERT|UPDATE] for
MySQL storing the MD5 hash of the password. I'll take a look at the
source later today or tomorrow, but it shouldn't be much work (except
for me, I have to compile and set up a MySQL-driven vpopmail *doh*; so
if anyone with vpopmail already fed by MySQL could take a look ...?).
In space, lemmings need only open their helmets.