[GH-ISSUE #433] modoboa should support better hash algos and setting the number of rounds used for hashing #417

New issue

Closed

opened 2026-02-27 11:11:39 +03:00 by kerem · 6 comments

kerem commented 2026-02-27 11:11:39 +03:00

Owner

Copy link

Originally created by @tonioo on GitHub (Dec 4, 2013).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/433

Originally assigned to: @tonioo on GitHub.

Originally created by Marc Schiffbauer on 2013-07-18T12:56:33Z

It should be possible to use and produce hashes like that one for example:

{SHA512-CRYPT}$6$rounds=20000$

Originally created by @tonioo on GitHub (Dec 4, 2013). Original GitHub issue: https://github.com/modoboa/modoboa/issues/433 Originally assigned to: @tonioo on GitHub. **Originally created by Marc Schiffbauer on 2013-07-18T12:56:33Z** It should be possible to use and produce hashes like that one for example: {SHA512-CRYPT}$6$rounds=20000$<the hash>

kerem 2026-02-27 11:11:39 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-27 11:11:40 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Dec 4, 2013):

Posted by Simon Kern on 2013-07-30T23:34:05Z

If you consider using a different hashing algorith, it should be bcrypt imho - see:
https://docs.djangoproject.com/en/1.5/topics/auth/passwords/

Please note that they use py-bcrypt in Django 1.5 and bcrypt in Django 1.6

<!-- gh-comment-id:29816430 --> @tonioo commented on GitHub (Dec 4, 2013): **Posted by Simon Kern on 2013-07-30T23:34:05Z** If you consider using a different hashing algorith, it should be bcrypt imho - see: https://docs.djangoproject.com/en/1.5/topics/auth/passwords/ Please note that they use _py-bcrypt in Django 1.5_ and _bcrypt in Django 1.6_

kerem commented 2026-02-27 11:11:40 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Dec 4, 2013):

Posted by Marc Schiffbauer on 2013-07-31T09:45:52Z

It should be configurable. We need something that is compatible with the underlying glibc where bcrypt is not available for example because we use these hashes also for dovecot authorization.

<!-- gh-comment-id:29816433 --> @tonioo commented on GitHub (Dec 4, 2013): **Posted by Marc Schiffbauer on 2013-07-31T09:45:52Z** It should be configurable. We need something that is compatible with the underlying glibc where bcrypt is not available for example because we use these hashes also for dovecot authorization.

kerem commented 2026-02-27 11:11:40 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Dec 4, 2013):

Posted by Antoine Nguyen on 2013-11-04T10:27:08Z

It seems passlib could be a good candidate for our need:

http://pythonhosted.org/passlib/index.html

Does anyone know it?

Other question: do we still propose weak schemes? Or do we use only strong schemes (BCRYPT, SHA512-CRYPT, SHA256-CRYPT) ?

<!-- gh-comment-id:29816436 --> @tonioo commented on GitHub (Dec 4, 2013): **Posted by Antoine Nguyen on 2013-11-04T10:27:08Z** It seems passlib could be a good candidate for our need: http://pythonhosted.org/passlib/index.html Does anyone know it? Other question: do we still propose weak schemes? Or do we use only strong schemes (BCRYPT, SHA512-CRYPT, SHA256-CRYPT) ?

kerem commented 2026-02-27 11:11:40 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Dec 4, 2013):

Posted by Marc Schiffbauer on 2013-11-12T09:30:59Z

Antoine Nguyen wrote:

It seems passlib could be a good candidate for our need:

http://pythonhosted.org/passlib/index.html

Does anyone know it?

Other question: do we still propose weak schemes? Or do we use only strong schemes (BCRYPT, SHA512-CRYPT, SHA256-CRYPT) ?

Hi Antoine,

I do not know it, but if it supports the algorithms that gelibc offers and it understands setting rounds in the hash and stuff like that it should be fine from my pov.

<!-- gh-comment-id:29816440 --> @tonioo commented on GitHub (Dec 4, 2013): **Posted by Marc Schiffbauer on 2013-11-12T09:30:59Z** Antoine Nguyen wrote: > It seems passlib could be a good candidate for our need: > > http://pythonhosted.org/passlib/index.html > > Does anyone know it? > > Other question: do we still propose weak schemes? Or do we use only strong schemes (BCRYPT, SHA512-CRYPT, SHA256-CRYPT) ? Hi Antoine, I do not know it, but if it supports the algorithms that gelibc offers and it understands setting rounds in the hash and stuff like that it should be fine from my pov.

kerem commented 2026-02-27 11:11:40 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Dec 4, 2013):

Posted by Antoine Nguyen on 2013-11-13T16:46:10Z

Well, for a first attempt, I'll limit this feature to SHA256-CRYPT and SHA512-CRYPT. BCRYPT is the strongest scheme but very few linux distributions include a compatible glibc. Even if I find a python library to create BCRYPT hashed passwords, dovecot won't be able to use them on most systems.

@Marc: is it fine for you?

<!-- gh-comment-id:29816442 --> @tonioo commented on GitHub (Dec 4, 2013): **Posted by Antoine Nguyen on 2013-11-13T16:46:10Z** Well, for a first attempt, I'll limit this feature to SHA256-CRYPT and SHA512-CRYPT. BCRYPT is the strongest scheme but very few linux distributions include a compatible glibc. Even if I find a python library to create BCRYPT hashed passwords, dovecot won't be able to use them on most systems. @Marc: is it fine for you?

kerem commented 2026-02-27 11:11:40 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Dec 4, 2013):

Posted by Antoine Nguyen on 2013-11-15T16:25:53Z

Applied in changeset commit:949f922ce5f51d2cac05dcaa96aadd758acdfc2e.

<!-- gh-comment-id:29816443 --> @tonioo commented on GitHub (Dec 4, 2013): **Posted by Antoine Nguyen on 2013-11-15T16:25:53Z** Applied in changeset commit:949f922ce5f51d2cac05dcaa96aadd758acdfc2e.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix/sievefilters-allow-email-in-rule-name

dependabot/npm_and_yarn/frontend/axios-1.15.0

translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP

translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP

fix/login-issue-3995

fix/sievefilters-issues

add-vitepress-openapi

2974-dmarc-empty-email

2.3.x

updated-doc-2.3.0

feature/OIDC

delete-all-alarms

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca

1.x

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK

1.8.x

1.7.x

1.6.x

1.4.x

1.3.x

1.2.x

2.8.2

2.8.1

2.8.0

2.7.2

2.7.1

2.7.0

2.6.5

2.6.4

2.6.3

2.6.2

2.6.1

2.6.0

2.5.1

2.5.0

2.4.11

2.4.10

2.4.9

2.4.8

2.4.7

2.4.6

2.4.5

2.4.4

2.4.3

2.4.2

2.4.1

2.4.0

2.3.6

2.3.5

2.3.4

2.3.3

2.3.2

2.3.1

2.3.0

2.3.0-beta.4

2.3.0-beta.3

2.3.0-beta.2

2.3.0-beta.1

2.2.4

2.2.3

2.2.2

2.2.1

2.2.0

2.1.2

2.1.1

2.1.0

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.1

1.17.0

1.16.1

1.16.0

1.15.0

1.14.0

1.13.1

1.13.0

1.12.2

1.12.1

1.12.0

1.11.1

1.11.0

1.10.7

1.10.6

1.10.5

1.10.4

1.10.3

1.10.2

1.10.1

1.10.0

1.9.1

1.9.0

1.8.3

1.8.2

1.8.1

1.8.0

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.5

1.3.4

1.2.2

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.2.0-rc2

1.2.0-rc1

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.1

1.0.0

0.9.5

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.8

0.8.7

0.8.6.1

0.8.6

0.8.5

0.8.4

0.8.3

0.8.3-rc1

0.8.2

0.8.1

0.8

0.8-rc2

0.8-rc1

0.7.2

0.7.1

0.7

0.6.1

0.6

0.5

0.3

0.2

0.1

Labels

Clear labels   

bug

  

bug

  

dependencies

  

design

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

feedback-needed

  

help-needed

  

help-needed

  

installer

  

invalid

  

looking-for-sponsors

  

modoboa-contacts

  

new-ui

  

new-ui

  

pr

  

pull-request

Mirrored from GitHub Pull Request

  

pyconfr

  

python

  

question

  

security

  

stale

  

webmail

  

wontfix

No labels

bug

bug

dependencies

design

documentation

duplicate

enhancement

enhancement

enhancement

feedback-needed

help-needed

help-needed

installer

invalid

looking-for-sponsors

modoboa-contacts

new-ui

new-ui

pr

pull-request

pyconfr

python

question

security

stale

webmail

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/modoboa-modoboa#417

No description provided.