incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Hewitt <mar...@thenoi.se>
Subject Re: CouchDB, require_valid_user and brute force
Date Wed, 11 Jul 2012 14:24:24 GMT
Hi Robert, 

Yeah, the rate-limit was the first thing in my mind, but the changes to the auth system sound
good, too. 

I'll have a look at IP restrictions in the meantime. 

Thanks, 

Martin


On Wednesday, 11 July 2012 at 15:12, Robert Newson wrote:

> Hi Martin,
> 
> If you mean some kind of rate-limiting for authentication requests, no (though that's
a neat idea). The next release of couchdb brings PBKDF2 as an enhancement to the SHA1 passwords
hashes. This brings a configurable work factor which effectively limits the rate of authentication
(at a cpu cost). It would be simple to impose a fixed and configurable delay to authenticating
on top of that, though.
> 
> B.
> 
> 
> On 11 Jul 2012, at 14:22, Martin Hewitt wrote:
> 
> > Hi all,
> > 
> > When using require_valid_user, does CouchDB have any built-in brute force protection
or should I be looking at an external way of preventing such attacks? 
> > 
> > Thanks,
> > 
> > Martin 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message