On Mon, Jan 4, 2010 at 1:26 PM, Adam Kocoloski <[email protected]> wrote: > Hi, just catching up on this very nice thread. I'm +1 on using the login for > the docid instead of triggering a view lookup, for the reasons Chris > outlined. Regarding resistance to brute force attacks, bcrypt storage is > definitely better than salted sha-anything, and Colin Percival's scrypt[1] is > definitely better than bcrypt. I'm not aware of javascript implementations > of either of them, though. >
The current implementation runs the crypto in the browser to create the user document. This could be run in an Erlang _update function and then we could use erlang's bcrypt. > I'm curious to see where we end up on the whole 401 Unauthorized browser > popup thing. At Cloudant we still respond with a 401 if a basic auth request > failed, but we send a 403 if a /_session request failed or a cookie expired, > and for exactly this reason. > The solution I'm going with right now is to send a 401, but without the WWW-Authenticate header. This avoids triggering the popup, without breaking anything else. > Anyway, nice work Chris! Best, Adam > Thanks! > [1]: http://www.tarsnap.com/scrypt.html -- Chris Anderson http://jchrisa.net http://couch.io
