On 25 Jan 2010, at 21:02, Chris Anderson wrote: > On Tue, Jan 5, 2010 at 10:21 PM, Benoit Chesneau <[email protected]> wrote: >>> -- >> There is a blowfish encryption implementation available in javascript. >> doesn't bcrypt stand for "blowfish crypt" ? >> http://www.openbsd.org/cgi-bin/man.cgi?query=bcrypt&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html >> >> fro where it has been created. >> >> - benoƮt >> > > Is anyone up to replace our salted hashes with a JS bcrypt implementation?
I'm not a crypto expert, but it seems we can get away with sha1 if we use HMAC instead of just hashing + salting: http://benlog.com/articles/2008/06/19/dont-hash-secrets/ (there are more entries like these to be found, I'll dig 'em up if you like). sha1 seems more universally available and more dependable than a bcrypt implementation we can trust. So I'm not convinced we need bcrypt. Cheers Jan -- > > If we can start supporting bcrypt for 0.11 we're less likely to have > salted hash passwords hanging around *forever* from people who create > user docs before 1.0. > > If no one else picks this up soon I'll look at it again for 1.0 > > Thanks, > Chris > > -- > Chris Anderson > http://jchrisa.net > http://couch.io
