incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <...@iriscouch.com>
Subject Re: Hide hash and salt on _users
Date Wed, 12 Oct 2011 18:33:47 GMT
That is one of the major motivations behind my inbox db patch.

https://issues.apache.org/jira/browse/COUCHDB-1287

Feel free to up vote if you agree :)

On Thu, Oct 13, 2011 at 12:01 AM, Travis Paul <Tr@vispaul.me> wrote:
> Thanks Robert,
> I found that already and was hoping their was some way to just mask the
> sha/hash altogether...
> Guess I'll just lockout the_users database for now :/
>
>
> On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson <rnewson@apache.org> wrote:
>
>> See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
>> mitigating proposal.
>>
>> B.
>>
>> On 12 October 2011 17:43, Travis Paul <Tr@vispaul.me> wrote:
>> > Is there anyway to hide the salt and hash from the _users database and
>> still
>> > allows user to login?
>> > It seems too easy for an attacker to download the database and run
>> > dictionary attacks (Especially with passwords some of my users choose).
>> > I'm aware that I could protect the _users database, but then I will need
>> to
>> > have some server side code that uses an appropriate account to
>> authenticate
>> > and set the cookie for the user.
>> > Which is not a huge deal of work but I'm trying to keep everything within
>> > the CouchApp model (while still being able to Relax).
>> >
>> > Thanks!
>> >
>>
>



-- 
Iris Couch

Mime
View raw message