Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).
Thanks!
[CouchDB-user] Hide hash and salt on _users
| Tweet |
|
Search Discussions
-
Robert Newson at Oct 12, 2011 at 4:50 pm ⇧ 
See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
mitigating proposal.
B.On 12 October 2011 17:43, Travis Paul wrote:
Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).
Thanks! -
Travis Paul at Oct 12, 2011 at 5:02 pm ⇧
Thanks Robert,
I found that already and was hoping their was some way to just mask the
sha/hash altogether...
Guess I'll just lockout the_users database for now :/On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson wrote:
See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
mitigating proposal.
B.On 12 October 2011 17:43, Travis Paul wrote:
Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to
authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).
Thanks! -
Jason Smith at Oct 12, 2011 at 6:34 pm ⇧
That is one of the major motivations behind my inbox db patch.
https://issues.apache.org/jira/browse/COUCHDB-1287
Feel free to up vote if you agree :)On Thu, Oct 13, 2011 at 12:01 AM, Travis Paul wrote:
Thanks Robert,
I found that already and was hoping their was some way to just mask the
sha/hash altogether...
Guess I'll just lockout the_users database for now :/On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson wrote:
See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
mitigating proposal.
B.On 12 October 2011 17:43, Travis Paul wrote:
Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to
authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).
Thanks!
--
Iris Couch
Related Discussions
Discussion Navigation
| view | thread | post |
Discussion Overview
| group | user
 |
| categories | couchdb |
| posted | Oct 12, '11 at 4:44p |
| active | Oct 12, '11 at 6:34p |
| posts | 4 |
| users | 3 |
| website | couchdb.apache.org |
| irc | #couchdb |
3 users in discussion
