Thanks Robert, I found that already and was hoping their was some way to just mask the sha/hash altogether... Guess I'll just lockout the_users database for now :/
On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson <[email protected]> wrote: > See https://issues.apache.org/jira/browse/COUCHDB-1060 for a > mitigating proposal. > > B. > > On 12 October 2011 17:43, Travis Paul <[email protected]> wrote: > > Is there anyway to hide the salt and hash from the _users database and > still > > allows user to login? > > It seems too easy for an attacker to download the database and run > > dictionary attacks (Especially with passwords some of my users choose). > > I'm aware that I could protect the _users database, but then I will need > to > > have some server side code that uses an appropriate account to > authenticate > > and set the cookie for the user. > > Which is not a huge deal of work but I'm trying to keep everything within > > the CouchApp model (while still being able to Relax). > > > > Thanks! > > >
