incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <>
Subject Re: Hide hash and salt on _users
Date Wed, 12 Oct 2011 16:50:28 GMT
See for a
mitigating proposal.


On 12 October 2011 17:43, Travis Paul <> wrote:
> Is there anyway to hide the salt and hash from the _users database and still
> allows user to login?
> It seems too easy for an attacker to download the database and run
> dictionary attacks (Especially with passwords some of my users choose).
> I'm aware that I could protect the _users database, but then I will need to
> have some server side code that uses an appropriate account to authenticate
> and set the cookie for the user.
> Which is not a huge deal of work but I'm trying to keep everything within
> the CouchApp model (while still being able to Relax).
> Thanks!

View raw message