[COUCHDB-1060] CouchDB should use a secure password hash method instead of the current one - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.0.2
Fix Version/s: 1.3
Component/s: Database Core
Labels:
None

Description

CouchDB passwords are stored in a salted, hashed format of a 128-bit salt combined with the password under SHA-1. This method thwarts rainbow table attacks, but is utterly ineffective against any dictionary attacks as computing SHA-1 is very fast indeed.

If passwords are to be stored in a non-plaintext equivalent format, the hash function needs to be a "slow" hash function. Suitable candidates for this could be bcrypt, scrypt and PBKDF2. Of the choices, only PBKDF2 is really widely used, standardized and goverment approved. (Note: don't be fooled that the PBKDF2 is a "key derivation" function - in this case, it is exactly the same thing as a slow password hash.)

http://en.wikipedia.org/wiki/PBKDF2

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-Integrate-PBKDF2.patch
01/Sep/11 17:27
21 kB
Robert Newson
pbkdf2.erl
23/Mar/11 10:19
4 kB
Robert Newson
pbkdf2.erl
22/Mar/11 23:56
3 kB
Robert Newson

Activity

People

Assignee:: Robert Newson

Reporter:: Nuutti Kotivuori

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Feb/11 17:54

Updated:: 26/Mar/12 16:21

Resolved:: 26/Mar/12 16:21