couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Shorin (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-2066) Don't allow stupid storage of passwords
Date Sun, 16 Feb 2014 00:22:19 GMT


Alexander Shorin commented on COUCHDB-2066:

I'm not familiar with security and even couldn't say for sure what's wrong with sha/salt,
but I just leave this the next thing for the further thoughts: are you sure that our current
pbkdf2 is secure more than sha/salt? Since because we have 10 iterations while RFC 2989 recommends
1000 as minimum (and we know how does it hurt performance with basic auth). I have some feel
it doesn't much so and replacing in rush all sha's with pbdkf2 wouldn't significantly improve
overall security unless we'll raise iteration counts too. 

> Don't allow stupid storage of passwords
> ---------------------------------------
>                 Key: COUCHDB-2066
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>            Reporter: Isaac Z. Schlueter
> If a password_sha/salt combination is PUT into the _users db, wrap that up in PBKDF2.
> Discussion:

This message was sent by Atlassian JIRA

View raw message