couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-1060) CouchDB should use a secure password hash method instead of the current one
Date Sun, 08 May 2011 17:19:03 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-1060?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13030510#comment-13030510
] 

Robert Newson commented on COUCHDB-1060:
----------------------------------------

Filipe,

It might be fine, but I think it misses the point. It's weird to create the value on the client
side anyway. We should pass the password as entered, and let the backend salt it and digest
it. The transmission should be protected by SSL, which we can do from 1.1 onwards.


> CouchDB should use a secure password hash method instead of the current one
> ---------------------------------------------------------------------------
>
>                 Key: COUCHDB-1060
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-1060
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: Database Core
>    Affects Versions: 1.0.2
>            Reporter: Nuutti Kotivuori
>            Assignee: Robert Newson
>            Priority: Minor
>             Fix For: 1.2
>
>         Attachments: pbkdf2.erl, pbkdf2.erl
>
>
> CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with
the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective
against any dictionary attacks as computing SHA-1 is very fast indeed.
> If passwords are to be stored in a non-plaintext equivalent format, the hash function
needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and
PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved.
(Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is
exactly the same thing as a slow password hash.)
> http://en.wikipedia.org/wiki/PBKDF2

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message