couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Rempe <gl...@rempe.us>
Subject Re: authentication cleanup
Date Sun, 27 Dec 2009 21:09:24 GMT
On Sun, Dec 27, 2009 at 11:46 AM, Benoit Chesneau <bchesneau@gmail.com>wrote:

> On Sun, Dec 27, 2009 at 8:05 PM, Chris Anderson <jchris@apache.org> wrote:
>


> >>>>>
> >>>> Not really since salt is available and hash is only sha1. I think we
> >>>> could make it harder but I agree with a strong encryption we don't
> >>>> need to hide them.
> >
> > I'd be happy if someone can work out a stronger cryptographic
> > solution. I don't think that there's much we can do to make brute
> > force password guessing harder (aside from hiding the user's db, which
> > we should do), but I'd be happy to be shown otherwise.
>
> Maybe we could start by using sha256. or more. I will have a look on
> what could be done about it.
>
>
I am just jumping in late here, so forgive me if this has been discussed.
 What about using bcrypt?  Which is *designed* to be a slow hashing
algorithm so that you dramatically reduce the ability to conduct brute force
attacks.  sha1, sha256, etc are designed to be fast, which if you gain
access to the raw hashes is a bad thing.  The idea is to make brute force
attacks as computationally expensive as possible, while not impeding normal
usage.

for general context see :

http://bit.ly/7nR09X
http://bit.ly/91a05S

And it seems like Adam K. has brought this up before as an option:

http://bit.ly/7nxlA1

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message