couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (COUCHDB-1060) CouchDB should use a secure password hash method instead of the current one
Date Sat, 16 Apr 2011 19:04:05 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-1060?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Newson reassigned COUCHDB-1060:
--------------------------------------

    Assignee: Robert Newson

> CouchDB should use a secure password hash method instead of the current one
> ---------------------------------------------------------------------------
>
>                 Key: COUCHDB-1060
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1060
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: Database Core
>    Affects Versions: 1.0.2
>            Reporter: Nuutti Kotivuori
>            Assignee: Robert Newson
>            Priority: Minor
>             Fix For: 1.2
>
>         Attachments: pbkdf2.erl, pbkdf2.erl
>
>
> CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with
the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective
against any dictionary attacks as computing SHA-1 is very fast indeed.
> If passwords are to be stored in a non-plaintext equivalent format, the hash function
needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and
PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved.
(Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is
exactly the same thing as a slow password hash.)
> http://en.wikipedia.org/wiki/PBKDF2

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message