Hi Robert,
Yeah, the rate-limit was the first thing in my mind, but the changes to the auth system sound
good, too.
I'll have a look at IP restrictions in the meantime.
Thanks,
Martin
On Wednesday, 11 July 2012 at 15:12, Robert Newson wrote:
> Hi Martin,
>
> If you mean some kind of rate-limiting for authentication requests, no (though that's
a neat idea). The next release of couchdb brings PBKDF2 as an enhancement to the SHA1 passwords
hashes. This brings a configurable work factor which effectively limits the rate of authentication
(at a cpu cost). It would be simple to impose a fixed and configurable delay to authenticating
on top of that, though.
>
> B.
>
>
> On 11 Jul 2012, at 14:22, Martin Hewitt wrote:
>
> > Hi all,
> >
> > When using require_valid_user, does CouchDB have any built-in brute force protection
or should I be looking at an external way of preventing such attacks?
> >
> > Thanks,
> >
> > Martin
|