This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.

Password Schemes

Passwords can be stored in [wiki:PasswordDatabase password databases] in many different formats. Usually they should be stored encrypted just to make sure that if an attacker gets into your computer he can't easily read everyone's passwords.

With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. Usually you don't have to worry about this if you don't want to, because most clients don't support anything else than plaintext authentication anyway. Encrypting the connection with SSL gives the necessary protection for the passwords.

With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme.

Often you already have the passwords in some specific format, so the best idea is to just keep using them. Otherwise just pick one to use, for example SSHA.

Currently supported password schemes are:

Default password scheme can usually be specified for password database. You can override it by prefixing the password with {SCHEME}, for example {PLAIN}password. Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]).

Dovecot contains a dovecotpw utility which can be used to easily generate passwords for wanted scheme.