That is one of the major motivations behind my inbox db patch. https://issues.apache.org/jira/browse/COUCHDB-1287
Feel free to up vote if you agree :) On Thu, Oct 13, 2011 at 12:01 AM, Travis Paul <[email protected]> wrote: > Thanks Robert, > I found that already and was hoping their was some way to just mask the > sha/hash altogether... > Guess I'll just lockout the_users database for now :/ > > > On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson <[email protected]> wrote: > >> See https://issues.apache.org/jira/browse/COUCHDB-1060 for a >> mitigating proposal. >> >> B. >> >> On 12 October 2011 17:43, Travis Paul <[email protected]> wrote: >> > Is there anyway to hide the salt and hash from the _users database and >> still >> > allows user to login? >> > It seems too easy for an attacker to download the database and run >> > dictionary attacks (Especially with passwords some of my users choose). >> > I'm aware that I could protect the _users database, but then I will need >> to >> > have some server side code that uses an appropriate account to >> authenticate >> > and set the cookie for the user. >> > Which is not a huge deal of work but I'm trying to keep everything within >> > the CouchApp model (while still being able to Relax). >> > >> > Thanks! >> > >> > -- Iris Couch
