Author Topic: Password plugin MD5 format  (Read 8068 times)

Offline AndyBCN

  • Newbie
  • *
  • Posts: 2
Password plugin MD5 format
« on: April 04, 2018, 01:08:31 PM »
Hi all!

  I have a small issue when using the password plugin in my environment when using the SQL backend with MySQL. Password plugin version is 4.2. Basically the issue is that I'm trying to store the passwords as MD5 and normally the password is stored as a 32 character string, the password plugin is setting the value as a 24 character string. This works ok for Dovecot auth but I also require Exim auth which breaks. Can I get the password plugin to use 32 character strings? My current password plugin config is:

Code: [Select]
$config['password_algorithm'] = 'md5';
$config['password_query'] = 'UPDATE popbox SET password_hash=%P where local_part=%l and domain_name =%d';
$config['password_crypt_hash'] = 'md5'
$config['password_idn_ascii'] = false;
$config['password_hash_algorithm'] = 'sha1';
$config['password_hash_base64'] = false;

I've also tried setting the password_hash value as "%n" but that creates a 40 character string with no {md5} prefix and also with base64 set to true for both %n and %P  but no joy.

thanks! Andy.

PS also tried %c
« Last Edit: April 04, 2018, 01:33:07 PM by AndyBCN »

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Password plugin MD5 format
« Reply #1 on: April 04, 2018, 03:09:02 PM »
Well first I have to point out what your doing is very insecure, md5 is long past being secure and is easily broken. I think what you want is 'UPDATE popbox SET password_hash=md5(%p) where local_part=%l and domain_name =%d' if you need the {md5} prefix then you can add it before the md5 function.

Offline AndyBCN

  • Newbie
  • *
  • Posts: 2
Re: Password plugin MD5 format
« Reply #2 on: April 05, 2018, 02:45:41 AM »
Thanks very much, I did need the prefix so this is working for me:

password_hash=CONCAT("{md5}",md5(%p))

I appreciate MD5 is insecure, but its in the same boat as the shadow passwords on many UNIX and Linux systems, its only a problem if someone hacks the server. Communications are all TLS,

thanks, Andy.

PS although, yes thanks for the nudge I should look to update the hash format
« Last Edit: April 05, 2018, 03:01:50 AM by AndyBCN »

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Password plugin MD5 format
« Reply #3 on: April 05, 2018, 03:49:10 AM »
You can change what the shadow file is using as well, to my knowledge no Unix system has shipped with MD5 out of the box for a very long time.