See https://issues.apache.org/jira/browse/COUCHDB-1060 for a mitigating proposal.
B. On 12 October 2011 17:43, Travis Paul <[email protected]> wrote: > Is there anyway to hide the salt and hash from the _users database and still > allows user to login? > It seems too easy for an attacker to download the database and run > dictionary attacks (Especially with passwords some of my users choose). > I'm aware that I could protect the _users database, but then I will need to > have some server side code that uses an appropriate account to authenticate > and set the cookie for the user. > Which is not a huge deal of work but I'm trying to keep everything within > the CouchApp model (while still being able to Relax). > > Thanks! >
