You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Robert Newson (Resolved) (JIRA)" <ji...@apache.org> on 2012/03/26 18:22:28 UTC
[jira] [Resolved] (COUCHDB-1060) CouchDB should use a secure
password hash method instead of the current one
[ https://issues.apache.org/jira/browse/COUCHDB-1060?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Newson resolved COUCHDB-1060.
------------------------------------
Resolution: Fixed
> CouchDB should use a secure password hash method instead of the current one
> ---------------------------------------------------------------------------
>
> Key: COUCHDB-1060
> URL: https://issues.apache.org/jira/browse/COUCHDB-1060
> Project: CouchDB
> Issue Type: Improvement
> Components: Database Core
> Affects Versions: 1.0.2
> Reporter: Nuutti Kotivuori
> Assignee: Robert Newson
> Priority: Minor
> Fix For: 1.3
>
> Attachments: 0001-Integrate-PBKDF2.patch, pbkdf2.erl, pbkdf2.erl
>
>
> CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective against any dictionary attacks as computing SHA-1 is very fast indeed.
> If passwords are to be stored in a non-plaintext equivalent format, the hash function needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly the same thing as a slow password hash.)
> http://en.wikipedia.org/wiki/PBKDF2
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira