Details
-
Type:
Improvement
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 1.0.2
-
Fix Version/s: 1.3
-
Component/s: Database Core
-
Labels:None
Description
CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective against any dictionary attacks as computing SHA-1 is very fast indeed.
If passwords are to be stored in a non-plaintext equivalent format, the hash function needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly the same thing as a slow password hash.)