couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: Improving password hashing.
Date Wed, 06 Jul 2011 13:05:22 GMT
On Wed, Jul 6, 2011 at 2:43 PM, Robert Newson <rnewson@apache.org> wrote:
> All,
>
> Our current password hashing scheme is weak. In fact, it's regarded as
> weak as plaintext. I'd like to change that.
>
> Some time ago I wrote some code to implement the PBKDF2 protocol. This
> is a cryptographically sound means of deriving a key from a password.
> The output is also usable as a password hash. An important part of the
> protocol is that the work factor can be increased by increasing the
> loop count. Additionally, it is not tied to a specific digest
> algorithm. All these points are not true of the sometimes proposed
> alternative called 'bcrypt' which I do not recommend.
>
> I would like this to go into CouchDB 1.2. New passwords, and updated
> passwords, from 1.2 onwards would use the new scheme, but 1.2 will,
> obviously, be able to verify the current style. This work will take
> place within couch_server where hash_admin_passwords currently lives.
>
> The PKBDF2 code is here:
> https://github.com/rnewson/couchdb/tree/pbkdf2. It passes all the test
> vectors.
>
> The ticket for this work is https://issues.apache.org/jira/browse/COUCHDB-1060
>
> B.
>
That sounds good. I would prefer however a customizable hashing method
for passwords so we can change it easily depending the target. Some
administrations for example require that you use some methods (like
sha256 in europe) and it would be very useful.

- benoƮt

Mime
View raw message