libsasl + smtp w/o clear passwd storage?
carson at taltos.org
Fri Feb 5 16:58:31 EST 2016
On 2/5/16 1:44 PM, Jan Parcel via Cyrus-devel wrote:
> On 02/05/2016 01:41 PM, Carson Gaspar via Cyrus-devel wrote:
>> This used to be possible using DIGEST-MD5, where the server stores
>> MD5(username:realm:password) instead of the plaintext password. This
>> is still a password equivalent, but only for the same realm (where you
>> can define the realm as a single host, or service, or company, or...).
> Well, since md5 is now considered weak, that does not appear to be a loss.
MD5 isn't (AFAIK) vulnerable in this context, but DIGEST-MD5 had other
issues (see RFC 6331). SCRAM is the better replacement.
More information about the Cyrus-devel