Author Topic: Password hashing algorithm SHA256  (Read 15581 times)

Offline alainpp

  • Jr. Member
  • **
  • Posts: 26
Password hashing algorithm SHA256
« on: February 11, 2009, 07:30:40 AM »
I don't know if this is the place to post this question, please move it if is necessary.

I have hmailserver 4 installed on my server, the version 5 is out now as a stable version and i want to upgrade. The problem is that they now have a new algorithm to process the passwords and i want to know if roundcube / myroundcube support it. The new algorithm is called SHA256. They still support MD5, but it would be nice for roundcube to support the new alghorithm.

Here's the text from hmailserver website:

"In version 4, hMailServer stored account passwords as MD5 hashes in the database. MD5 is no longer considered to be sure so in hMailServer 5 an algorithm named SHA256 is used instead. If you have custom-built software which accesses the hMailServer database and assumes that account passwords are MD5 hashes, you either need to update this software, or you need to configure hMailServer to continue using MD5 using the PreferredHashAlgorithm setting."


Thanks in advance for your replies.

Offline rosali

  • Hero Member
  • *****
  • Posts: 2,533
Password hashing algorithm SHA256
« Reply #1 on: February 11, 2009, 11:24:34 AM »
No, MyRoundCube only supports MD5 hashs. Let me know, if you find some PHP code to use the new encoding and I'll implement it. I could use hMailServer COM API. But I don't like to do it. The reason is, that I do not want to loose the ability to host hMailServer on a windows emulation while RoundCube is running unix based.
Regards,
Rosali
__________________
MyRoundcube Project (commercial)

Offline rosali

  • Hero Member
  • *****
  • Posts: 2,533
Password hashing algorithm SHA256
« Reply #2 on: February 11, 2009, 11:26:08 AM »
UPDATE: I'm going to test PHP: sha1 - Manual and let you know.
Regards,
Rosali
__________________
MyRoundcube Project (commercial)

Offline rosali

  • Hero Member
  • *****
  • Posts: 2,533
Password hashing algorithm SHA256
« Reply #3 on: March 11, 2009, 09:13:31 AM »
I can't get it working to reproduce the hmailserver hash (without using the COM object which is besides my goals). As a work around I've made MyRoundCube now to use always md5 for self-registration and change password plugin as a fall back.

The disadvantage is that all self-registrated users and those who change their password by MyRoundCube will fall back to md5 password hashes - not a big issue, IMO.

Changes will be released along with next MyRoundCube update.
Regards,
Rosali
__________________
MyRoundcube Project (commercial)

Offline alainpp

  • Jr. Member
  • **
  • Posts: 26
Password hashing algorithm SHA256
« Reply #4 on: March 12, 2009, 12:47:54 PM »
Don't worry, Hmailserver 5 has the option to use MD5, it's not the defualt anymore but can be used.

Welcome back from vacation.
« Last Edit: March 13, 2009, 03:42:17 PM by alainpp »

Offline rosali

  • Hero Member
  • *****
  • Posts: 2,533
Password hashing algorithm SHA256
« Reply #5 on: March 15, 2009, 03:58:00 AM »
There is no need to adjust hmailserver ini since MyRoundCube 2348. Notice: If a user changes the password by MyRoundCube it will fall back to md5 hash. Also user created by MyRoundCube (self-registration) will have md5 hashed password.
Regards,
Rosali
__________________
MyRoundcube Project (commercial)