Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-1060

CouchDB should use a secure password hash method instead of the current one

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.0.2
    • 1.3
    • Database Core
    • None

    Description

      CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective against any dictionary attacks as computing SHA-1 is very fast indeed.

      If passwords are to be stored in a non-plaintext equivalent format, the hash function needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly the same thing as a slow password hash.)

      http://en.wikipedia.org/wiki/PBKDF2

      Attachments

        1. pbkdf2.erl
          3 kB
          Robert Newson
        2. pbkdf2.erl
          4 kB
          Robert Newson
        3. 0001-Integrate-PBKDF2.patch
          21 kB
          Robert Newson

        Activity

          People

            rnewson Robert Newson
            nakedible Nuutti Kotivuori
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment