Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-1060

CouchDB should use a secure password hash method instead of the current one

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0.2
    • Fix Version/s: 1.3
    • Component/s: Database Core
    • Labels:
      None

      Description

      CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective against any dictionary attacks as computing SHA-1 is very fast indeed.

      If passwords are to be stored in a non-plaintext equivalent format, the hash function needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly the same thing as a slow password hash.)

      http://en.wikipedia.org/wiki/PBKDF2

        Attachments

        1. pbkdf2.erl
          3 kB
          Robert Newson
        2. pbkdf2.erl
          4 kB
          Robert Newson
        3. 0001-Integrate-PBKDF2.patch
          21 kB
          Robert Newson

          Activity

            People

            • Assignee:
              rnewson Robert Newson
              Reporter:
              nakedible Nuutti Kotivuori
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: