password encryption

No solution yet:

How does qmail encrypt the password that it stores in vpopmail?

Shelly

sheldonlg@gmail.com <sheldonlg@gmail.com> wrote:
>
> No solution yet:
> How does qmail encrypt the password that it stores in vpopmail?


I'd guess qmail does not store any password in vpopmail... vpopmail
comes with it's own authentication module and with it's own routines
to add users etc.
You can switch off encryption of vpopmail's passwords so that vpopmail
stores it's password as clear text.

Best regards
Thomas

vpopmail uses mysql as a database. In it there are two fields, one for
clear text password and one for and encrypted password. The encrypted
password is different for two users with the same password.

Example:
pw_name pw_clear pw_passwd
testacct2 asdfgh $1$VatP8d60$HhKVM1UAZTrMSGrqHJiwr/
testacct4 asdfgh $1$esHumhwr$QXd6hmiSoxU91ubh9nfuV.

I would like to be able to compare passwords when the user logs into my
site. I would need to be able to encrypt his password to do this to
compare against pw_passwd, instead of being forced to use pw_clear. To
do this I would have to encrypt the passwod myself.

sheldonlg@gmail.com wrote:

> vpopmail uses mysql as a database. In it there are two fields, one for
> clear text password and one for and encrypted password. The encrypted
> password is different for two users with the same password.
>
> Example:
> pw_name pw_clear pw_passwd
> testacct2 asdfgh $1$VatP8d60$HhKVM1UAZTrMSGrqHJiwr/
> testacct4 asdfgh $1$esHumhwr$QXd6hmiSoxU91ubh9nfuV.
>
> I would like to be able to compare passwords when the user logs into my
> site. I would need to be able to encrypt his password to do this to
> compare against pw_passwd, instead of being forced to use pw_clear. To
> do this I would have to encrypt the passwod myself.
>

I do not see what your dilema is. How is it different in functionality
to compare within your system the clear text user provided password to
the clear text database entry?

The whole idea of alternate encryption is to increase the difficulty of
guessing the password.

AK

"AK" <aktrader2@excite.com> wrote in message
news:BJSdnZtdrK1OJHnenZ2dnUVZ_t2dnZ2d@comcast.com. ..
> sheldonlg@gmail.com wrote:
>
>> vpopmail uses mysql as a database. In it there are two fields, one for
>> clear text password and one for and encrypted password. The encrypted
>> password is different for two users with the same password.
>>
>> Example:
>> pw_name pw_clear pw_passwd
>> testacct2 asdfgh $1$VatP8d60$HhKVM1UAZTrMSGrqHJiwr/
>> testacct4 asdfgh $1$esHumhwr$QXd6hmiSoxU91ubh9nfuV.
>>
>> I would like to be able to compare passwords when the user logs into my
>> site. I would need to be able to encrypt his password to do this to
>> compare against pw_passwd, instead of being forced to use pw_clear. To
>> do this I would have to encrypt the passwod myself.
>>
>
> I do not see what your dilema is. How is it different in functionality to
> compare within your system the clear text user provided password to the
> clear text database entry?
>
> The whole idea of alternate encryption is to increase the difficulty of
> guessing the password.

Because I want to remove the clear text password field and just use an
encrypted field. Yes, as it now sits there is no problem. However, I want
to increase hack protection.

Shelly wrote:

> "AK" <aktrader2@excite.com> wrote in message
> news:BJSdnZtdrK1OJHnenZ2dnUVZ_t2dnZ2d@comcast.com. ..
>
>>sheldonlg@gmail.com wrote:
>>
>>
>>>vpopmail uses mysql as a database. In it there are two fields, one for
>>>clear text password and one for and encrypted password. The encrypted
>>>password is different for two users with the same password.
>>>
>>>Example:
>>>pw_name pw_clear pw_passwd
>>>testacct2 asdfgh $1$VatP8d60$HhKVM1UAZTrMSGrqHJiwr/
>>>testacct4 asdfgh $1$esHumhwr$QXd6hmiSoxU91ubh9nfuV.
>>>
>>>I would like to be able to compare passwords when the user logs into my
>>>site. I would need to be able to encrypt his password to do this to
>>>compare against pw_passwd, instead of being forced to use pw_clear. To
>>>do this I would have to encrypt the passwod myself.
>>>
>>
>>I do not see what your dilema is. How is it different in functionality to
>>compare within your system the clear text user provided password to the
>>clear text database entry?
>>
>>The whole idea of alternate encryption is to increase the difficulty of
>>guessing the password.
>
>
> Because I want to remove the clear text password field and just use an
> encrypted field. Yes, as it now sits there is no problem. However, I want
> to increase hack protection.
>
>

The salt for the crypt command in your case is the set of eight
characters between the $1$ and the next $ signs.
you should provide the encrypted password from the database. The crypt
function will use the eight characters in conjnction with an md5
transaction to encrypt the cleartext password provided by the user. One
cautionary note: make sure that you are not using any functionality
within your POP3, IMAP, SMTP Authentication which requires access to the
clear password. Certain things come to mind: SMTP auth (md5), IMAP
(encrypted username/password).

If the user uses an MD5-Digest authentication, your system needs to have
access to the clear text password in order to generate a digest and compare.


Please further note that the existance of clear text password
information within your system does not make it more prone to being hack.

I.e. because you leave your house keys in the house, does not make it
more likely to be broken into then if you left the doors and windows
open. Secure your system's service, and disable services that you do
not need/use. Patch the system with the vendors upadtes. Pick complex
passwords. Change passwords on a regular basis.

AK