couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <>
Subject Re: Improving password hashing.
Date Wed, 06 Jul 2011 15:00:24 GMT

On 6 Jul 2011, at 15:43, Robert Newson wrote:

> Essentially, in 1.2, I'm saying that the password setting
> functionality occurs solely on the Erlang side, it can't be done from
> Javascript any more. I'm unsure how controversial that is, but it's my
> experience that it's always the server that gets the plaintext of a
> password and hashes it for storage, it's only here that I've seen it
> done in the client.

There's a reason for this. Unless I'm missing something, if the client is allowed to submit
the password hash itself, you may as well be using plaintext passwords. All an attacker would
have to do is gain access to the hashes, and use them directly.

View raw message