couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <>
Subject Re: authentication cleanup
Date Mon, 04 Jan 2010 21:56:24 GMT
On Mon, Jan 4, 2010 at 10:26 PM, Adam Kocoloski <> wrote:
> Hi, just catching up on this very nice thread.  I'm +1 on using the login for the docid
instead of triggering a view lookup, for the reasons Chris outlined.  Regarding resistance
to brute force attacks, bcrypt storage is definitely better than salted sha-anything, and
Colin Percival's scrypt[1] is definitely better than bcrypt.  I'm not aware of javascript
implementations of either of them, though.
> I'm curious to see where we end up on the whole 401 Unauthorized browser popup thing.
 At Cloudant we still respond with a 401 if a basic auth request failed, but we send a 403
if a /_session request failed or a cookie expired, and for exactly this reason.
> Anyway, nice work Chris!  Best, Adam
> [1]:

There are some blowfish implementation in javascript :

I guess it could be used to do bcrypt but not sure about the exact algorithm.

- benoît

View raw message