couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: authentication cleanup
Date Mon, 04 Jan 2010 21:56:24 GMT
On Mon, Jan 4, 2010 at 10:26 PM, Adam Kocoloski <kocolosk@apache.org> wrote:
> Hi, just catching up on this very nice thread.  I'm +1 on using the login for the docid
instead of triggering a view lookup, for the reasons Chris outlined.  Regarding resistance
to brute force attacks, bcrypt storage is definitely better than salted sha-anything, and
Colin Percival's scrypt[1] is definitely better than bcrypt.  I'm not aware of javascript
implementations of either of them, though.
>
> I'm curious to see where we end up on the whole 401 Unauthorized browser popup thing.
 At Cloudant we still respond with a 401 if a basic auth request failed, but we send a 403
if a /_session request failed or a cookie expired, and for exactly this reason.
>
> Anyway, nice work Chris!  Best, Adam
>
> [1]: http://www.tarsnap.com/scrypt.html

There are some blowfish implementation in javascript :

http://dren.ch/js_blowfish/#js_blowfish_20081901

I guess it could be used to do bcrypt but not sure about the exact algorithm.

- benoît

Mime
View raw message