Hi Robert, Yeah, the rate-limit was the first thing in my mind, but the changes to the auth system sound good, too.
I'll have a look at IP restrictions in the meantime. Thanks, Martin On Wednesday, 11 July 2012 at 15:12, Robert Newson wrote: > Hi Martin, > > If you mean some kind of rate-limiting for authentication requests, no > (though that's a neat idea). The next release of couchdb brings PBKDF2 as an > enhancement to the SHA1 passwords hashes. This brings a configurable work > factor which effectively limits the rate of authentication (at a cpu cost). > It would be simple to impose a fixed and configurable delay to authenticating > on top of that, though. > > B. > > > On 11 Jul 2012, at 14:22, Martin Hewitt wrote: > > > Hi all, > > > > When using require_valid_user, does CouchDB have any built-in brute force > > protection or should I be looking at an external way of preventing such > > attacks? > > > > Thanks, > > > > Martin
