From dev-return-8542-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Sun Feb 07 01:32:00 2010 Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 81688 invoked from network); 7 Feb 2010 01:32:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Feb 2010 01:32:00 -0000 Received: (qmail 66238 invoked by uid 500); 7 Feb 2010 01:31:59 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 66145 invoked by uid 500); 7 Feb 2010 01:31:59 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 66135 invoked by uid 99); 7 Feb 2010 01:31:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2010 01:31:59 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jchris@gmail.com designates 209.85.222.175 as permitted sender) Received: from [209.85.222.175] (HELO mail-pz0-f175.google.com) (209.85.222.175) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2010 01:31:50 +0000 Received: by pzk5 with SMTP id 5so2985634pzk.29 for ; Sat, 06 Feb 2010 17:31:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=CrQ1S45GPs9wi28WaapHfnSlYHcGBNXOAsKG+spXnGA=; b=noYNIFv3t5buSgNpUiZHmoM1T3MkbYsPBly8kZHIlJeT2kIumu6wehTJ5SQIHaQZEH Nctl2eZxFf+pbzNMAS3YyP+e9yQ3SHpWjaRpA74QNBCfzcajLAyzHGhtootw/RgXkRT2 ZzGkr+d6DS+WHoRBZ1UoePN+eWbbMzf1FntH8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=DvF66AFqHulhWX6tzlUUkIu1/hgDv9SHmQf8IqoxAFzZpJ21J5szRiBpneO788DM5C 5r1MltWWxPyIXKAULzQvGpGUNLA2j3c78JSWAAMBrDFdDaFJQUmfh3yoN3GpXn8GOI5D H67PJ3TOwcVLgbfm3X3PWumcQasRUezHOY8z0= MIME-Version: 1.0 Sender: jchris@gmail.com Received: by 10.142.9.36 with SMTP id 36mr3022861wfi.151.1265506289307; Sat, 06 Feb 2010 17:31:29 -0800 (PST) In-Reply-To: <705e509c1002061711n3f855d96s1d330e4c8d264a31@mail.gmail.com> References: <38E834CA-4265-4441-9A31-C9D8BC4C0937@apache.org> <20100127152710.GA6385@uk.tiscali.com> <0B15EAAB-40E3-41B6-831E-664258A06399@apache.org> <705e509c1002061711n3f855d96s1d330e4c8d264a31@mail.gmail.com> Date: Sat, 6 Feb 2010 17:31:29 -0800 X-Google-Sender-Auth: d278175eb8a55ce2 Message-ID: Subject: Re: JavaScript bcrypt (was Re: authentication cleanup) From: Chris Anderson To: dev@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 On Sat, Feb 6, 2010 at 5:11 PM, Matt Lyon wrote: > +1 to using a password scheme that allows for future extensibility > and/or change. I'd love to hear people's ideas about what schema to store the passwords in: maybe something like this in the _user doc: { credentials : { type : "bcrypt", whatever else } } > > As to why storing passwords as a hashed signature (even with a salt), > this has been making its rounds through the ruby community recently: > http://codahale.com/how-to-safely-store-a-password/ > > just because a hash signature is a one-way function doesn't mean it's > necessarily cryptographic. > -- Chris Anderson http://jchrisa.net http://couch.io