You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Travis Paul <Tr...@visPaul.me> on 2011/10/12 18:43:59 UTC
Hide hash and salt on _users
Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).
Thanks!
Re: Hide hash and salt on _users
Posted by Jason Smith <jh...@iriscouch.com>.
That is one of the major motivations behind my inbox db patch.
https://issues.apache.org/jira/browse/COUCHDB-1287
Feel free to up vote if you agree :)
On Thu, Oct 13, 2011 at 12:01 AM, Travis Paul <Tr...@vispaul.me> wrote:
> Thanks Robert,
> I found that already and was hoping their was some way to just mask the
> sha/hash altogether...
> Guess I'll just lockout the_users database for now :/
>
>
> On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson <rn...@apache.org> wrote:
>
>> See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
>> mitigating proposal.
>>
>> B.
>>
>> On 12 October 2011 17:43, Travis Paul <Tr...@vispaul.me> wrote:
>> > Is there anyway to hide the salt and hash from the _users database and
>> still
>> > allows user to login?
>> > It seems too easy for an attacker to download the database and run
>> > dictionary attacks (Especially with passwords some of my users choose).
>> > I'm aware that I could protect the _users database, but then I will need
>> to
>> > have some server side code that uses an appropriate account to
>> authenticate
>> > and set the cookie for the user.
>> > Which is not a huge deal of work but I'm trying to keep everything within
>> > the CouchApp model (while still being able to Relax).
>> >
>> > Thanks!
>> >
>>
>
--
Iris Couch
Re: Hide hash and salt on _users
Posted by Travis Paul <Tr...@visPaul.me>.
Thanks Robert,
I found that already and was hoping their was some way to just mask the
sha/hash altogether...
Guess I'll just lockout the_users database for now :/
On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson <rn...@apache.org> wrote:
> See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
> mitigating proposal.
>
> B.
>
> On 12 October 2011 17:43, Travis Paul <Tr...@vispaul.me> wrote:
> > Is there anyway to hide the salt and hash from the _users database and
> still
> > allows user to login?
> > It seems too easy for an attacker to download the database and run
> > dictionary attacks (Especially with passwords some of my users choose).
> > I'm aware that I could protect the _users database, but then I will need
> to
> > have some server side code that uses an appropriate account to
> authenticate
> > and set the cookie for the user.
> > Which is not a huge deal of work but I'm trying to keep everything within
> > the CouchApp model (while still being able to Relax).
> >
> > Thanks!
> >
>
Re: Hide hash and salt on _users
Posted by Robert Newson <rn...@apache.org>.
See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
mitigating proposal.
B.
On 12 October 2011 17:43, Travis Paul <Tr...@vispaul.me> wrote:
> Is there anyway to hide the salt and hash from the _users database and still
> allows user to login?
> It seems too easy for an attacker to download the database and run
> dictionary attacks (Especially with passwords some of my users choose).
> I'm aware that I could protect the _users database, but then I will need to
> have some server side code that uses an appropriate account to authenticate
> and set the cookie for the user.
> Which is not a huge deal of work but I'm trying to keep everything within
> the CouchApp model (while still being able to Relax).
>
> Thanks!
>