The intentions was avoid performance degradation: you may set 10000 as specification recommends, but this will significantly slow down authentication process and especially replication which currently cannot use cookies for auth. While 10 iterations is low, it's still better than salted sha1 which was used previously. -- ,,,^..^,,,
On Tue, Feb 10, 2015 at 7:50 AM, jumbo jim <[email protected]> wrote: > Hi, > > I noticed when creating new users in 1.6.1, that only 10 iterations of > pbkdf2 is used. > > I found the following link - > > https://issues.apache.org/jira/browse/COUCHDB-2066 > > What "requests" (other than login), go through the pbkdf2 scheme? > > I would imagine that replicators would not make use of session cookies, so > therefore pbkdf2 would be used here. However, I am quite happy for the > replicator user to have pbkdf2 iterations at 10 as this user contains a > (strong) password that I control. > > I am more concerned with other users set at 10 iterations. Is pbkdf2 used > for read/writes even though session cookies are used? > > What would the reasons be against using 10000 iterations? > > Thank you.
