Return-Path: 
 <dev-return-17072-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D78C46BEB
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Wed,  6 Jul 2011 15:00:29 +0000 (UTC)
Received: (qmail 86496 invoked by uid 500); 6 Jul 2011 15:00:29 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 86434 invoked by uid 500); 6 Jul 2011 15:00:28 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 86426 invoked by uid 99); 6 Jul 2011 15:00:28 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jul 2011 15:00:28 +0000
Received: from localhost (HELO [172.20.10.2]) (127.0.0.1)
  (smtp-auth username nslater, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Wed, 06 Jul 2011 15:00:28 +0000
Subject: Re: Improving password hashing.
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Noah Slater <nslater@apache.org>
In-Reply-To: 
 <CABvT1DGGr+1VokWh5GPNcVACXAeJJSRQ98h7jU=TzKirjSc4Jw@mail.gmail.com>
X-Noah: Awesome
Date: Wed, 6 Jul 2011 16:00:24 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7CEA3DB-65ED-41FA-B2A5-A6FFEEA73FD2@apache.org>
References: 
 <CABvT1DFkZHWMZ15DCVQiedy9+GdgCtXhMtY-8qfPq35bmeHOsw@mail.gmail.com>
 <CAJNb-9qviqvOFNZju59ixaM+8Qf=7hqUPsFHr7unh+sqi=GZ4g@mail.gmail.com>
 <CABvT1DERcrCFVkzZBSQYFruTnqEEEu0JUU3gQ2pMdPGTYawT8Q@mail.gmail.com>
 <CAL3q7H5FEYJe0gugkvAYQ7GOduYCYqbNWH37jxwTQ-ry=70b3w@mail.gmail.com>
 <CABvT1DHMatLeR95sY019SqXmagokF+wKdVX26ebO4yUHj2PDJw@mail.gmail.com>
 <CAL3q7H6JqzEDknHt3cuDuC0oc_2RPjEx7g=iKBjxWGsBScRo+w@mail.gmail.com>
 <CABvT1DGGr+1VokWh5GPNcVACXAeJJSRQ98h7jU=TzKirjSc4Jw@mail.gmail.com>
To: dev@couchdb.apache.org
X-Mailer: Apple Mail (2.1084)


On 6 Jul 2011, at 15:43, Robert Newson wrote:

> Essentially, in 1.2, I'm saying that the password setting
> functionality occurs solely on the Erlang side, it can't be done from
> Javascript any more. I'm unsure how controversial that is, but it's my
> experience that it's always the server that gets the plaintext of a
> password and hashes it for storage, it's only here that I've seen it
> done in the client.

There's a reason for this. Unless I'm missing something, if the client =
is allowed to submit the password hash itself, you may as well be using =
plaintext passwords. All an attacker would have to do is gain access to =
the hashes, and use them directly.