couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Newson (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-2066) Don't allow stupid storage of passwords
Date Sun, 16 Feb 2014 15:52:19 GMT


Robert Newson commented on COUCHDB-2066:

We can and should upgrade _user records on next authentication (when we have the password)
and not wait until the user changes their password. Upconverting from the old scheme to the
new one is a novel (and therefore almost certainly broken) security algorithm, very much -1
on that.

As a further enhancement, we could allow a server config setting that refuses users that only
have password_sha on disk, and force them to change their password.

> Don't allow stupid storage of passwords
> ---------------------------------------
>                 Key: COUCHDB-2066
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>            Reporter: Isaac Z. Schlueter
> If a password_sha/salt combination is PUT into the _users db, wrap that up in PBKDF2.
> Discussion:

This message was sent by Atlassian JIRA

View raw message