[
https://issues.apache.org/jira/browse/COUCHDB-1060?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12991032#comment-12991032
]
Nuutti Kotivuori commented on COUCHDB-1060:
-------------------------------------------
Do note that plain HTTP authentication is somewhat problematic with these, as
the password is sent as plaintext and the hash calculation has to be done by
the server on each request. It's probably necessary to cache the authentication
result for a certain plaintext password.
> CouchDB should use a secure password hash method instead of the current one
> ---------------------------------------------------------------------------
>
> Key: COUCHDB-1060
> URL: https://issues.apache.org/jira/browse/COUCHDB-1060
> Project: CouchDB
> Issue Type: Improvement
> Components: Database Core
> Affects Versions: 1.0.2
> Reporter: Nuutti Kotivuori
> Priority: Minor
>
> CouchDB passwords are stored in a salted, hashed format of a 128-bit salt
> combined with the password under SHA-1. This method thwarts rainbow table
> attacks, but is utterly ineffective against any dictionary attacks as
> computing SHA-1 is very fast indeed.
> If passwords are to be stored in a non-plaintext equivalent format, the hash
> function needs to be a "slow" hash function. Suitable candidates for this
> could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really
> widely used, standardized and goverment approved. (Note: don't be fooled that
> the PBKDF2 is a "key derivation" function - in this case, it is exactly the
> same thing as a slow password hash.)
> http://en.wikipedia.org/wiki/PBKDF2
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
