Re: [Exim] a more or less special mail solution

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy C. Reed
Date:  
À: pop-imap
CC: exim-users
Sujet: Re: [Exim] a more or less special mail solution
On Sat, 31 Aug 2002, Tamas TEVESZ wrote:

> no. it is not possible because it's logically not possible. the heart
> if this impossibility is that all these hashes are one way hashes.


Yes. (I know. I never implied that they needed to be decrypted.)

> think about it: if what you are wishing to have would be possible, we
> all could throw out all of today's security, because that would mean
> that the one-way hashes are not one-way at all.


I never mentioned that. I am not sure why you thought that. That is why I
generally use the term "hash" and not "encrypted".

> > Store the hash on server.

..

> > The server makes another hash of its stored (already encrypted
> > password) against the shared secret and compares this with the client's
> > authentication data.
>
> now. if i get access to the stored hashes, what exactly makes me
> unable to re-use them ?


That wasn't the point. And I understand what you mean. The purpose was
simply to not have the passwords stored in plain text. (I believe security
by obscurity is a valid addition to already existing security.)

> what you described is CRAM, with user's passwords replaced with their
> hashes, and then the hash used as if it was the plain text password.
>
> i swear that's it. think about it.


I know. But I am giving an answer to the poster's original request:
"Passwords for the mailsystem should be saved encrypted [while auth via
MD5]".

(Another answer is just make sure your plain text passwords are secure.)

Jeremy C. Reed

http://www.bsdnewsletter.com/