From dev-return-14804-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Sat Feb 05 18:55:57 2011 Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 16985 invoked from network); 5 Feb 2011 18:55:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 5 Feb 2011 18:55:56 -0000 Received: (qmail 58844 invoked by uid 500); 5 Feb 2011 18:55:55 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 58705 invoked by uid 500); 5 Feb 2011 18:55:55 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 58692 invoked by uid 99); 5 Feb 2011 18:55:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Feb 2011 18:55:54 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Feb 2011 18:55:52 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 950871918A3 for ; Sat, 5 Feb 2011 18:55:31 +0000 (UTC) Date: Sat, 5 Feb 2011 18:55:31 +0000 (UTC) From: "Robert Newson (JIRA)" To: dev@couchdb.apache.org Message-ID: <362451469.1981.1296932131607.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <679185515.1934.1296928530664.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] Commented: (COUCHDB-1060) CouchDB should use a secure password hash method instead of the current one MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/COUCHDB-1060?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12991034#comment-12991034 ] Robert Newson commented on COUCHDB-1060: ---------------------------------------- I think the point is that our current scheme is equivalent to plaintext passwords (the work factor is simply too low to quibble over). The overhead ought to be low enough, but we'll have to measure. BTW: I *HATE* new Jira. They appear to have overridden common key sequences (ctrl-a takes you to a custom Administration menu up there ^^ and not beginning-of-line like normal). Plus, my goodness, it's ugly. > CouchDB should use a secure password hash method instead of the current one > --------------------------------------------------------------------------- > > Key: COUCHDB-1060 > URL: https://issues.apache.org/jira/browse/COUCHDB-1060 > Project: CouchDB > Issue Type: Improvement > Components: Database Core > Affects Versions: 1.0.2 > Reporter: Nuutti Kotivuori > Priority: Minor > > CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective against any dictionary attacks as computing SHA-1 is very fast indeed. > If passwords are to be stored in a non-plaintext equivalent format, the hash function needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly the same thing as a slow password hash.) > http://en.wikipedia.org/wiki/PBKDF2 -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira