[Users] [Bug 2796] New: Weak Password Security
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Mon Nov 19 05:15:52 CET 2012
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2796
Summary: Weak Password Security
Product: Claws Mail
Version: other
Platform: PC
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Other
AssignedTo: users at lists.claws-mail.org
ReportedBy: franz.wudy at mail.com
Hello,
MD5 based password schemes are known to be insecure for quite a while now. See
Stuxnet & Co in Microsoft's case.
SHA in is various configurations still seems to be a good choice for hashing
algorithms.
DOVECOT imap servers as well as Cyrus and (i believe) UW's impad do support the
"salted" SCRAM-SHA-1 scheme for quite a while now as a secure alternative.
SCRAM-SHA-1-PLUS is being worked on.
http://www.dovecot.org/list/dovecot/2011-September/061172.html
DOVECOT has been tested against GNU SASL.
MD5-based schemes (CRAM, DIGEST, etc) should either not be allowed any more or
at least the user should be warned that he is about to give up some of his most
essential information.
A common and safe denominator between servers and a client is SCRAM-SHA-1 these
days and it should be implemented.
Thanks -
Franz
--
Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Users
mailing list