This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.

Password Schemes

Passwords can be stored in [wiki:PasswordDatabase password databases] in many different formats. Usually they should be stored encrypted just to make sure that if an attacker gets into your computer he can't easily read everyone's passwords.

With non-plaintext [wiki:Authentication/Mechanisms authentication mechanisms] you either have to store the password in a mechanism-specific format (which is incompatible with all other auth mechanisms except plaintext ones), or you'll have to store the passwords as plaintext. For example if you're going to use CRAM-MD5 authentication, the password needs to be in plaintext format or in CRAM-MD5 format. If you want to allow both CRAM-MD5 and DIGEST-MD5, the password must be stored in plaintext.

With plaintext auth mechanisms it doesn't matter in which format the password is stored locally, because Dovecot will internally encrypt the sent plaintext password to match the storage scheme. Usually people are using only the plaintext authentication mechanism. Encrypting the connection with SSL/TLS gives the necessary protection for the passwords.

Often you already have the passwords in some specific format, so the best idea is to just keep using them. Otherwise just pick one to use, for example SSHA.

Currently supported password schemes are:

Default password scheme can usually be specified for password database. You can override it by prefixing the password with {SCHEME}, for example {PLAIN}password. Note that not all [wiki:PasswordDatabase password databases] support changing the scheme. With some you might cause incompatibilities with other software using it (eg. [wiki:AuthDatabase/Passwd passwd], [wiki:PasswordDatabase/Shadow shadow]) and with others it simply isn't possible at all because of the way they work (eg. [wiki:PasswordDatabase/PAM PAM]).

Dovecot contains a dovecotpw utility which can be used to easily generate passwords for wanted scheme.

For some schemes (eg. PLAIN-MD5, SHA) Dovecot is able to detect if the password hash is base64 or hex encoded, so both can be used. dovecotpw anyway generates the passwords using the encoding mentioned above.