Search K
Appearance
Appearance
Password scheme means the format in which the password is stored in passdb.
The main reason for choosing a scheme other than PLAIN
is to prevent someone with access to the password database from stealing users' passwords and using them to access other services.
Deprecated: 3.0.0
Some password schemes are disabled by default due to being considered weak. This includes MD based (except DIGEST-MD5 and CRAM-MD5), LANMAN, NTLM and a few others.
Please read the documentation carefully.
You can enable these with auth_allow_weak_schemes = yes
.
You should choose the strongest crypt scheme that's supported by your system.
A few articles about why choosing a good password scheme is important:
It's not possible to easily switch from one password scheme to another. The only practical way to do this is to wait until user logs in and change the password during the login.
INFO
Dovecot's schemes are implemented by the libc's crypt()
function. Using them is especially useful when sharing the same passwords with other software, because most of them support using crypt()
to verify the password. However, not all libcs (especially older ones) implement all of the schemes. See below for other password schemes that are implemented by Dovecot internally (instead of libc).
From strongest to weakest:
Added: 3.0.0
Argon2 is the winner of a password hashing competition held at July 2015.
The password will start with $argon2i$
or $argon2id$.
You can use -r
to tune computational complexity, minimum is 3.
ARGON2ID is only available if your libsodium is recent enough.
ARGON2 can require quite a hefty amount of virtual memory, so we recommend that you set service auth { vsz_limit = 2G }
at least, or more.
Added: 3.0.0
This scheme is also accepted and processed according to the actual algorithm as described in the hash, e.g, {ARGON2}$argon2id$...
is recognized and processed properly as ARGON2I/ARGON2ID (as long as libsodium is recent enough to support it).
This is the Blowfish crypt (bcrypt) scheme. It is generally considered to be very secure.
The encrypted password will start with $2y$
(other generators can generate passwords that have other letters after $2, those should work too.)
bcrypt is bundled with Dovecot, so it does not require an external library.
You can tune the computational cost using -r parameter for doveadm.
A strong scheme. The encrypted password will start with $6$
.
A strong scheme. The encrypted password will start with $5$
.
/etc/shadow
. The encrypted password will start with $1$
.
You can generate passwords for a particular scheme easily with doveadm pw
utility. If you do not have Dovecot configured, you can use doveadm -O pw
to avoid complaints about config file.
The scheme defaults to CRYPT
(with the $2y$
bcrypt format), but you can use -s
to override it: doveadm pw -s SHA512-CRYPT
.
To provide password, for scripting purposes, you can use either doveadm pw -p password
or:
$ printf 'password\npassword\n' | doveadm pw
Password databases have a default password scheme:
Database | Default |
---|---|
SQL authentication database | See default_pass_scheme setting in dovecot-sql.conf.ext . |
LDAP authentication | See default_pass_scheme setting in dovecot-ldap.conf.ext . |
passwd-file authentication database | CRYPT is used by default, but can be changed |
with scheme parameter in passdb args. | |
passwd authentication database | CRYPT is used by default and can't be changed currently. |
PAM authentication database BSD authentication database | Dovecot never even sees the password with these databases, so Dovecot has nothing to do with what password scheme is used. |
The password scheme can be overridden for each password by prefixing it with {SCHEME}
, for example: {PLAIN}pass
.
See authentication mechanisms for an explanation of auth mechanisms.
Most installations use only cleartext mechanisms, so you can skip this section unless you know you want to use them.
The problem with non-cleartext auth mechanisms is that the password must be stored either in cleartext, or using a mechanism-specific scheme that's incompatible with all other non-cleartext mechanisms. In addition, the mechanism-specific schemes often offer very little protection. This isn't a limitation of Dovecot, it's a requirement for the algorithms to even work.
For example if you're going to use CRAM-MD5 authentication, the password needs to be stored in either PLAIN or CRAM-MD5 scheme. If you want to allow both CRAM-MD5 and DIGEST-MD5, the password must be stored in cleartext.
In future it's possible that Dovecot could support multiple passwords in different schemes for a single user.
Mechanism | Comment |
---|---|
CRAM-MD5 | Used with CRAM-MD5 mechanism. |
DIGEST-MD5 | Used with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames. |
SCRAM-SHA-1 | Used with SCRAM-SHA-1 mechanism. Added: 3.0.0 |
SCRAM-SHA-256 | Stronger replacement for SCRAM-SHA-1. Added: 3.0.0 |
Strong schemes and mechanism-specific schemes are listed above.
For some schemes (e.g. PLAIN-MD5, SHA) Dovecot is able to detect if the password hash is base64 or hex encoded, so both can be used.
Password is in cleartext.
Traditional DES-crypted password in /etc/passwd
(e.g. "pass" = vpvKh.SaNbR6s
.
Dovecot uses libc's crypt()
function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT
schemes at the top of this page.
The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored. Other schemes may have other password length limitations (if they limit the password length at all).
Bcrypt based hash. ($2y$
)
Traditional DES based hash.
Changed: 3.0.0
Disabled by default.
MD5-based hash ($1$
)
Changed: 3.0.0
Disabled by default.
SHA-256 based hash ($5$
)
SHA-512 based hash ($6$
)
RFC 2289 based One-Time Password system.
Changed: 3.0.0
Disabled by default.
MD4 sum of the password stored in hex.
Alias for MD5-CRYPT.
MD5 sum of the password stored in hex.
MD5 sum of the password stored in base64.
Salted MD5 sum of the password stored in base64.
Alias CRAM-MD5.
See Also
See below for libc's SHA* support.
Alias for SHA1.
SHA1 sum of the password stored in base64.
Salted SHA1 sum of the password stored in base64.
SHA256 sum of the password stored in base64.
Salted SHA256 sum of the password stored in base64.
SHA512 sum of the password stored in base64.
Salted SHA512 sum of the password stored in base64.
ARGON2i password scheme, needs libsodium.
ARGON2id password scheme, needs libsodium.
Added: 3.0.0
PKCS5 Password hashing algorithm.
Note that there is no standard encoding for this format, so this scheme may not be interoperable with other software.
Dovecot implements it as $1$salt$rounds$hash
.
ARGON2 password scheme, needs libsodium
The base64 vs. hex encoding simply the default encoding that is used.
You can override it for any scheme by adding a ".hex", ".b64" or ".base64" suffix. For example:
{SSHA.b64}986H5cS9JcDYQeJd6wKaITMho4M9CrXM
contains the password encoded to base64 (just like {SSHA}){SSHA.HEX}3f5ca6203f8cdaa44d9160575c1ee1d77abcf59ca5f852d1
contains the password encoded to hexThis can be especially useful with cleartext passwords to encode characters that would otherwise be illegal. For example, in passwd-file authentication database you couldn't use a ":" character in the password without encoding it to base64 or hex. For example: {PLAIN}{\}:!"
is the same as {PLAIN.b64}e1x9OiEiCg==
.
You can also specify the encoding with doveadm pw. For example: doveadm pw -s plain.b64
.
For the SHA512-CRYPT, SHA256-CRYPT, and MD5-CRYPT schemes, the salt is stored before the hash, e.g.: $6$salt$hash
. For the BLF-CRYPT scheme, bcrypt stores the salt as part of the hash.
For most of the other salted password schemes (SMD5, SSHA*) the salt is stored after the password hash and its length can vary. When hashing the password, append the salt after the cleartext password, e.g.: SSHA256(pass, salt) = SHA256(pass + salt) + salt.
For example with SSHA256 you know that the hash itself is 32 bytes (256 bits/8 bits per byte). Everything after that 32 bytes is the salt. For example if you have a password:
{SSHA256}SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv
After base64 decoding it you'll see that its length is 36 bytes, so the first 32 bytes are the hash and the following 4 bytes are the salt:
echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|wc -c
-> 36echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|dd bs=1 count=32|hexdump -C
-> 4a 84 7f ef c4 f9 ab 45 0f 16 78 3c 50 25 d6 43 13 94 2a 1c eb 25 99 70 7c db 65 94 0b a9 01 e5echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|dd bs=1 skip=32|hexdump -C
-> 13 fa 44 2f