incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: CouchDB, require_valid_user and brute force
Date Wed, 11 Jul 2012 14:12:39 GMT
Hi Martin,

If you mean some kind of rate-limiting for authentication requests, no (though that's a neat
idea). The next release of couchdb brings PBKDF2 as an enhancement to the SHA1 passwords hashes.
This brings a configurable work factor which effectively limits the rate of authentication
(at a cpu cost). It would be simple to impose a fixed and configurable delay to authenticating
on top of that, though.

B.


On 11 Jul 2012, at 14:22, Martin Hewitt wrote:

> Hi all,
> 
> When using require_valid_user, does CouchDB have any built-in brute force protection
or should I be looking at an external way of preventing such attacks? 
> 
> Thanks,
> 
> Martin


Mime
View raw message