couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nuutti Kotivuori (JIRA)" <j...@apache.org>
Subject [jira] Created: (COUCHDB-1060) CouchDB should use a secure password hash method instead of the current one
Date Sat, 05 Feb 2011 17:55:30 GMT
CouchDB should use a secure password hash method instead of the current one
---------------------------------------------------------------------------

                 Key: COUCHDB-1060
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1060
             Project: CouchDB
          Issue Type: Improvement
          Components: Database Core
    Affects Versions: 1.0.2
            Reporter: Nuutti Kotivuori
            Priority: Minor


CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the
password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective
against any dictionary attacks as computing SHA-1 is very fast indeed.

If passwords are to be stored in a non-plaintext equivalent format, the hash function needs
to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2.
Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note:
don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly
the same thing as a slow password hash.)

http://en.wikipedia.org/wiki/PBKDF2

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message