FAQ

[CouchDB-user] Hide hash and salt on _users

Travis Paul
Oct 12, 2011 at 4:44 pm
Is there anyway to hide the salt and hash from the _users database and still
allows user to login?
It seems too easy for an attacker to download the database and run
dictionary attacks (Especially with passwords some of my users choose).
I'm aware that I could protect the _users database, but then I will need to
have some server side code that uses an appropriate account to authenticate
and set the cookie for the user.
Which is not a huge deal of work but I'm trying to keep everything within
the CouchApp model (while still being able to Relax).

Thanks!
reply

Search Discussions

3 responses

  • Robert Newson at Oct 12, 2011 at 4:50 pm
    See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
    mitigating proposal.

    B.
    On 12 October 2011 17:43, Travis Paul wrote:
    Is there anyway to hide the salt and hash from the _users database and still
    allows user to login?
    It seems too easy for an attacker to download the database and run
    dictionary attacks (Especially with passwords some of my users choose).
    I'm aware that I could protect the _users database, but then I will need to
    have some server side code that uses an appropriate account to authenticate
    and set the cookie for the user.
    Which is not a huge deal of work but I'm trying to keep everything within
    the CouchApp model (while still being able to Relax).

    Thanks!
  • Travis Paul at Oct 12, 2011 at 5:02 pm
    Thanks Robert,
    I found that already and was hoping their was some way to just mask the
    sha/hash altogether...
    Guess I'll just lockout the_users database for now :/

    On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson wrote:

    See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
    mitigating proposal.

    B.
    On 12 October 2011 17:43, Travis Paul wrote:
    Is there anyway to hide the salt and hash from the _users database and still
    allows user to login?
    It seems too easy for an attacker to download the database and run
    dictionary attacks (Especially with passwords some of my users choose).
    I'm aware that I could protect the _users database, but then I will need to
    have some server side code that uses an appropriate account to
    authenticate
    and set the cookie for the user.
    Which is not a huge deal of work but I'm trying to keep everything within
    the CouchApp model (while still being able to Relax).

    Thanks!
  • Jason Smith at Oct 12, 2011 at 6:34 pm
    That is one of the major motivations behind my inbox db patch.

    https://issues.apache.org/jira/browse/COUCHDB-1287

    Feel free to up vote if you agree :)
    On Thu, Oct 13, 2011 at 12:01 AM, Travis Paul wrote:
    Thanks Robert,
    I found that already and was hoping their was some way to just mask the
    sha/hash altogether...
    Guess I'll just lockout the_users database for now :/

    On Wed, Oct 12, 2011 at 12:50 PM, Robert Newson wrote:

    See https://issues.apache.org/jira/browse/COUCHDB-1060 for a
    mitigating proposal.

    B.
    On 12 October 2011 17:43, Travis Paul wrote:
    Is there anyway to hide the salt and hash from the _users database and still
    allows user to login?
    It seems too easy for an attacker to download the database and run
    dictionary attacks (Especially with passwords some of my users choose).
    I'm aware that I could protect the _users database, but then I will need to
    have some server side code that uses an appropriate account to
    authenticate
    and set the cookie for the user.
    Which is not a huge deal of work but I'm trying to keep everything within
    the CouchApp model (while still being able to Relax).

    Thanks!


    --
    Iris Couch

Related Discussions

Discussion Navigation
viewthread | post