couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: authentication cleanup
Date Sun, 27 Dec 2009 21:29:52 GMT
On Sun, Dec 27, 2009 at 10:09 PM, Glenn Rempe <glenn@rempe.us> wrote:
> On Sun, Dec 27, 2009 at 11:46 AM, Benoit Chesneau <bchesneau@gmail.com>wrote:
>
>> On Sun, Dec 27, 2009 at 8:05 PM, Chris Anderson <jchris@apache.org> wrote:
>>
>
>
>> >>>>>
>> >>>> Not really since salt is available and hash is only sha1. I think
we
>> >>>> could make it harder but I agree with a strong encryption we don't
>> >>>> need to hide them.
>> >
>> > I'd be happy if someone can work out a stronger cryptographic
>> > solution. I don't think that there's much we can do to make brute
>> > force password guessing harder (aside from hiding the user's db, which
>> > we should do), but I'd be happy to be shown otherwise.
>>
>> Maybe we could start by using sha256. or more. I will have a look on
>> what could be done about it.
>>
>>
> I am just jumping in late here, so forgive me if this has been discussed.
>  What about using bcrypt?  Which is *designed* to be a slow hashing
> algorithm so that you dramatically reduce the ability to conduct brute force
> attacks.  sha1, sha256, etc are designed to be fast, which if you gain
> access to the raw hashes is a bad thing.  The idea is to make brute force
> attacks as computationally expensive as possible, while not impeding normal
> usage.
>
> for general context see :
>
> http://bit.ly/7nR09X
> http://bit.ly/91a05S
>
> And it seems like Adam K. has brought this up before as an option:
>
> http://bit.ly/7nxlA1
>

also there is already some erlang code :
http://github.com/skarab/erlang-bcrypt

- benoit

Mime
View raw message