couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Improving password hashing.
Date Wed, 06 Jul 2011 12:43:12 GMT
All,

Our current password hashing scheme is weak. In fact, it's regarded as
weak as plaintext. I'd like to change that.

Some time ago I wrote some code to implement the PBKDF2 protocol. This
is a cryptographically sound means of deriving a key from a password.
The output is also usable as a password hash. An important part of the
protocol is that the work factor can be increased by increasing the
loop count. Additionally, it is not tied to a specific digest
algorithm. All these points are not true of the sometimes proposed
alternative called 'bcrypt' which I do not recommend.

I would like this to go into CouchDB 1.2. New passwords, and updated
passwords, from 1.2 onwards would use the new scheme, but 1.2 will,
obviously, be able to verify the current style. This work will take
place within couch_server where hash_admin_passwords currently lives.

The PKBDF2 code is here:
https://github.com/rnewson/couchdb/tree/pbkdf2. It passes all the test
vectors.

The ticket for this work is https://issues.apache.org/jira/browse/COUCHDB-1060

B.

Mime
View raw message