incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis Paul ...@visPaul.me>
Subject Re: Hide hash and salt on _users
Date Wed, 12 Oct 2011 17:01:22 GMT
Thanks Robert,
I found that already and was hoping their was some way to just mask the
sha/hash altogether...
Guess I'll just lockout the_users database for now :/


On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson <rnewson@apache.org> wrote:

> See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
> mitigating proposal.
>
> B.
>
> On 12 October 2011 17:43, Travis Paul <Tr@vispaul.me> wrote:
> > Is there anyway to hide the salt and hash from the _users database and
> still
> > allows user to login?
> > It seems too easy for an attacker to download the database and run
> > dictionary attacks (Especially with passwords some of my users choose).
> > I'm aware that I could protect the _users database, but then I will need
> to
> > have some server side code that uses an appropriate account to
> authenticate
> > and set the cookie for the user.
> > Which is not a huge deal of work but I'm trying to keep everything within
> > the CouchApp model (while still being able to Relax).
> >
> > Thanks!
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message