Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 37245 invoked from network); 7 Feb 2010 18:45:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Feb 2010 18:45:53 -0000 Received: (qmail 32462 invoked by uid 500); 7 Feb 2010 18:45:52 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 32387 invoked by uid 500); 7 Feb 2010 18:45:52 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 32377 invoked by uid 99); 7 Feb 2010 18:45:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2010 18:45:52 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of b.candler@pobox.com designates 208.72.237.25 as permitted sender) Received: from [208.72.237.25] (HELO sasl.smtp.pobox.com) (208.72.237.25) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2010 18:45:41 +0000 Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 074C79887C for ; Sun, 7 Feb 2010 13:45:19 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=4Z0V0eGN+2HQKphuvgfZd+mklSI=; b=FG9o9v0 L7LHOOwg6JoNYkKILgXV8VxKtvTBaDmA/hrVf/GiGhjXhhaiTCXul4agVCY3kRQv MAAe2D9YQ9rs/G0UOT6YscYnNuZ6Ug8zi7ksCX4I2Dstdg4U/rHcD+9ph4lVN12J MgPSQzhUIfIuaVd1ufwbqwyi88INjY5Y6Xgw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=SS3uvLTClspgDiD+lvz7WkZJ+C3bRLgE4 lUmBXh7Tya8R3QbH+iIgxIbOHrjvA/Ba/twbgvHWlg95q6Uvd5wm1pt41f0cHQZt FEoTlyli14RncjdXco1ybWURexKgUpoBL0pfl/JRLXBG2N+dkyzCJwiFevA+FSRr 8E1XqlL3Nc= Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 03DDB9887B for ; Sun, 7 Feb 2010 13:45:18 -0500 (EST) Received: from zino (unknown [87.194.77.98]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id BF86F9887A for ; Sun, 7 Feb 2010 13:45:18 -0500 (EST) Received: from lists by zino with local (Exim 4.69) (envelope-from ) id 1NeC8D-0001PX-FW for dev@couchdb.apache.org; Sun, 07 Feb 2010 18:45:17 +0000 Date: Sun, 7 Feb 2010 18:45:17 +0000 From: Brian Candler To: dev@couchdb.apache.org Subject: Re: JavaScript bcrypt (was Re: authentication cleanup) Message-ID: <20100207184517.GA5397@uk.tiscali.com> References: <38E834CA-4265-4441-9A31-C9D8BC4C0937@apache.org> <20100127152710.GA6385@uk.tiscali.com> <0B15EAAB-40E3-41B6-831E-664258A06399@apache.org> <705e509c1002061711n3f855d96s1d330e4c8d264a31@mail.gmail.com> <20100207092153.GA4849@uk.tiscali.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-Pobox-Relay-ID: F06BB69E-1418-11DF-8440-6AF7ED7EF46B-28021239!a-pb-sasl-quonix.pobox.com On Sun, Feb 07, 2010 at 10:23:17AM -0800, Chris Anderson wrote: > > password: "plain" > > password: "{CRYPT}$1$foo$bar" > > password: "{SHA1}..." > > password: "{SSHA1}...with salt..." > > ... etc > > > > That doesn't sound bad at all. ... > If we can't find an Erlang library, is there a spec we should look at > while implementing? Yep, it's here: http://www.openldap.org/doc/admin24/security.html Scroll down to section 14.4. Well actually it's not a full spec as it doesn't show how the salt and value are separated in SSHA1, but you can get that from the source. Note that the {CRYPT} format is a unix crypt, which is itself an extensible format; $2$... is what openbsd are using for bcrypt. So actually you could just use that format. The OpenLDAP format would allow you to support existing salted SHA1 passwords in the same field. B.