[Users] [Bug 2796] New: Weak Password Security

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Mon Nov 19 05:15:52 CET 2012


           Summary: Weak Password Security
           Product: Claws Mail
           Version: other
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
        AssignedTo: users at lists.claws-mail.org
        ReportedBy: franz.wudy at mail.com


MD5 based password schemes are known to be insecure for quite a while now. See
Stuxnet & Co in Microsoft's case.

SHA in is various configurations still seems to be a good choice for hashing

DOVECOT imap servers as well as Cyrus and (i believe) UW's impad do support the
"salted" SCRAM-SHA-1 scheme for quite a while now as a secure alternative.
SCRAM-SHA-1-PLUS is being worked on.

DOVECOT has been tested against GNU SASL.

MD5-based schemes (CRAM, DIGEST, etc) should either not be allowed any more or
at least the user should be warned that he is about to give up some of his most
essential information.

A common and safe denominator between servers and a client is SCRAM-SHA-1 these
days and it should be implemented.

Thanks -

Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Users mailing list