couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Lehnardt (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-2066) Don't allow stupid storage of passwords
Date Sat, 15 Feb 2014 23:59:19 GMT


Jan Lehnardt commented on COUCHDB-2066:

Since 1.3.0, CouchDB uses PBKDF2 for password hashing for user accounts.

CouchDB will accept the old sha+salt format to not break BC, since it was introduced in a
minor version update.

Users are discouraged to use the old sha/salt ones though, we just kept the API intact.

What we should do, though, is adding a transparent layer to turn sha+salt-style PWs into pbkdf2
PWs transparently.

I’m not sure how to swing that without a API BC break, and we should run this plan by a
proper cryptographer.

> Don't allow stupid storage of passwords
> ---------------------------------------
>                 Key: COUCHDB-2066
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>            Reporter: Isaac Z. Schlueter
> If a password_sha/salt combination is PUT into the _users db, wrap that up in PBKDF2.
> Discussion:

This message was sent by Atlassian JIRA

View raw message