On Mon, Jan 4, 2010 at 10:26 PM, Adam Kocoloski <[email protected]> wrote: > Hi, just catching up on this very nice thread. I'm +1 on using the login for > the docid instead of triggering a view lookup, for the reasons Chris > outlined. Regarding resistance to brute force attacks, bcrypt storage is > definitely better than salted sha-anything, and Colin Percival's scrypt[1] is > definitely better than bcrypt. I'm not aware of javascript implementations > of either of them, though. > > I'm curious to see where we end up on the whole 401 Unauthorized browser > popup thing. At Cloudant we still respond with a 401 if a basic auth request > failed, but we send a 403 if a /_session request failed or a cookie expired, > and for exactly this reason. > > Anyway, nice work Chris! Best, Adam > > [1]: http://www.tarsnap.com/scrypt.html
There are some blowfish implementation in javascript : http://dren.ch/js_blowfish/#js_blowfish_20081901 I guess it could be used to do bcrypt but not sure about the exact algorithm. - benoît
