couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: DB ACLs (was Re: 0.11 Release / Feature Freeze for 1.0)
Date Wed, 03 Feb 2010 21:35:28 GMT
On Wed, Feb 03, 2010 at 09:24:26PM +0000, Brian Candler wrote:
> > > (9) The _users db itself is world-readable (showing not only who your users
> > > are, but their password hashes). Highly undesirable.
> > 
> > I actually consider this a feature. We'd like to get some stronger
> > password hashing (see the bcrypt threads) which should help with the
> > password parts.

Actually, passwords aren't even the issue. Just revealing the *usernames* of
all the users on the system is the problem.

For example, if I were a competitor to couch.io, I would be very happy to
download a list of customers I should be poaching :-)

Regards,

Brian.

Mime
View raw message