On Wed, Feb 3, 2010 at 1:35 PM, Brian Candler <[email protected]> wrote: > On Wed, Feb 03, 2010 at 09:24:26PM +0000, Brian Candler wrote: >> > > (9) The _users db itself is world-readable (showing not only who your >> > > users >> > > are, but their password hashes). Highly undesirable. >> > >> > I actually consider this a feature. We'd like to get some stronger >> > password hashing (see the bcrypt threads) which should help with the >> > password parts. > > Actually, passwords aren't even the issue. Just revealing the *usernames* of > all the users on the system is the problem. > > For example, if I were a competitor to couch.io, I would be very happy to > download a list of customers I should be poaching :-)
In couch.io each customer gets an entire couchdb server, so no worries about that. Chris -- Chris Anderson http://jchrisa.net http://couch.io
