incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Hide hash and salt on _users
Date Wed, 12 Oct 2011 16:50:28 GMT
See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
mitigating proposal.

B.

On 12 October 2011 17:43, Travis Paul <Tr@vispaul.me> wrote:
> Is there anyway to hide the salt and hash from the _users database and still
> allows user to login?
> It seems too easy for an attacker to download the database and run
> dictionary attacks (Especially with passwords some of my users choose).
> I'm aware that I could protect the _users database, but then I will need to
> have some server side code that uses an appropriate account to authenticate
> and set the cookie for the user.
> Which is not a huge deal of work but I'm trying to keep everything within
> the CouchApp model (while still being able to Relax).
>
> Thanks!
>

Mime
View raw message