You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Jan Lehnardt (JIRA)" <ji...@apache.org> on 2014/02/16 00:59:19 UTC
[jira] [Commented] (COUCHDB-2066) Don't allow stupid storage of
passwords
[ https://issues.apache.org/jira/browse/COUCHDB-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13902584#comment-13902584 ]
Jan Lehnardt commented on COUCHDB-2066:
---------------------------------------
Since 1.3.0, CouchDB uses PBKDF2 for password hashing for user accounts.
CouchDB will accept the old sha+salt format to not break BC, since it was introduced in a minor version update.
Users are discouraged to use the old sha/salt ones though, we just kept the API intact.
What we should do, though, is adding a transparent layer to turn sha+salt-style PWs into pbkdf2 PWs transparently.
I’m not sure how to swing that without a API BC break, and we should run this plan by a proper cryptographer.
> Don't allow stupid storage of passwords
> ---------------------------------------
>
> Key: COUCHDB-2066
> URL: https://issues.apache.org/jira/browse/COUCHDB-2066
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Reporter: Isaac Z. Schlueter
>
> If a password_sha/salt combination is PUT into the _users db, wrap that up in PBKDF2.
> Discussion:
> https://twitter.com/janl/status/434818855626502144
> https://twitter.com/izs/status/434835388213899264
> https://twitter.com/janl/status/434835614790586368
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)