[
https://issues.apache.org/jira/browse/COUCHDB-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13902592#comment-13902592
]
Alexander Shorin commented on COUCHDB-2066:
-------------------------------------------
I'm not familiar with security and even couldn't say for sure what's wrong with
sha/salt, but I just leave this the next thing for the further thoughts: are
you sure that our current pbkdf2 is secure more than sha/salt? Since because we
have 10 iterations while RFC 2989 recommends 1000 as minimum (and we know how
does it hurt performance with basic auth). I have some feel it doesn't much so
and replacing in rush all sha's with pbdkf2 wouldn't significantly improve
overall security unless we'll raise iteration counts too.
> Don't allow stupid storage of passwords
> ---------------------------------------
>
> Key: COUCHDB-2066
> URL: https://issues.apache.org/jira/browse/COUCHDB-2066
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Isaac Z. Schlueter
>
> If a password_sha/salt combination is PUT into the _users db, wrap that up in
> PBKDF2.
> Discussion:
> https://twitter.com/janl/status/434818855626502144
> https://twitter.com/izs/status/434835388213899264
> https://twitter.com/janl/status/434835614790586368
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
