CouchDB should use a secure password hash method instead of the current one
---------------------------------------------------------------------------
Key: COUCHDB-1060
URL: https://issues.apache.org/jira/browse/COUCHDB-1060
Project: CouchDB
Issue Type: Improvement
Components: Database Core
Affects Versions: 1.0.2
Reporter: Nuutti Kotivuori
Priority: Minor
CouchDB passwords are stored in a salted, hashed format of a 128-bit salt
combined with the password under SHA-1. This method thwarts rainbow table
attacks, but is utterly ineffective against any dictionary attacks as computing
SHA-1 is very fast indeed.
If passwords are to be stored in a non-plaintext equivalent format, the hash
function needs to be a "slow" hash function. Suitable candidates for this could
be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely
used, standardized and goverment approved. (Note: don't be fooled that the
PBKDF2 is a "key derivation" function - in this case, it is exactly the same
thing as a slow password hash.)
http://en.wikipedia.org/wiki/PBKDF2
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
