From user-return-21520-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org Wed Jul 11 14:12:46 2012 Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B40E1D7C6 for ; Wed, 11 Jul 2012 14:12:46 +0000 (UTC) Received: (qmail 33977 invoked by uid 500); 11 Jul 2012 14:12:45 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 33710 invoked by uid 500); 11 Jul 2012 14:12:45 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 33682 invoked by uid 99); 11 Jul 2012 14:12:44 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Jul 2012 14:12:44 +0000 Received: from localhost (HELO [192.168.1.7]) (127.0.0.1) (smtp-auth username rnewson, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Jul 2012 14:12:43 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1278) Subject: Re: CouchDB, require_valid_user and brute force From: Robert Newson In-Reply-To: <03E58354F5CA49A4AFA93A50E0722DFF@thenoi.se> Date: Wed, 11 Jul 2012 15:12:39 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <42A2AB90-1D82-4204-B855-2664FEA34DFF@apache.org> References: <03E58354F5CA49A4AFA93A50E0722DFF@thenoi.se> To: user@couchdb.apache.org X-Mailer: Apple Mail (2.1278) Hi Martin, If you mean some kind of rate-limiting for authentication requests, no = (though that's a neat idea). The next release of couchdb brings PBKDF2 = as an enhancement to the SHA1 passwords hashes. This brings a = configurable work factor which effectively limits the rate of = authentication (at a cpu cost). It would be simple to impose a fixed and = configurable delay to authenticating on top of that, though. B. On 11 Jul 2012, at 14:22, Martin Hewitt wrote: > Hi all, >=20 > When using require_valid_user, does CouchDB have any built-in brute = force protection or should I be looking at an external way of preventing = such attacks?=20 >=20 > Thanks, >=20 > Martin