
npm (Node's package manager) leaks all user password hashes and salts - jashkenas
https://gist.github.com/2001456
======
jashkenas
The important sentence here:

    
    
        > By default, CouchDB prior to version 1.2.0 
        > makes [the /_users] database world-readable.
    

Note that the current stable version of CouchDB is 1.1.1.

I assume that "world-readable" in this case also means world-readable over
HTTP, if your Couch server isn't firewalled.

 _Update_ : If you've already filled out npm's "reset password" form, but
haven't received an email yet, @isaacs says that the email bot might be
backlogged by a couple hours.

~~~
throwawaysnipe
The e-mail heavily implies that the security breach was CouchDB's fault
instead of those who were administering that Couch server.

Deliberate passing the buck or accidental bad choice of words?

~~~
jashkenas
I think more of a serious gut check for anyone who's deliberately exposing a
CouchDB server to the web because it contains all or mostly public data.

~~~
throwawaysnipe
My bad, just realized you aren't e-mail writer or npm admin. Thrown off by
gist author.

Deliberately exposing anything to the web should come with lots of... wait for
it... deliberation. The npm guy is a core community member; this incident
shows a lot of sloppiness and doesn't inspire faith.

------
swannodette
There is absolutely nothing to see here as far as CouchDB is concerned -
[http://stackoverflow.com/questions/4847145/couchdb-adding-
us...](http://stackoverflow.com/questions/4847145/couchdb-adding-user-profile-
attributes-in-user-documents). Note that this answer from _2011_ noting that
_users is not intended for storing secure information.

npm effed up is all.

~~~
jashkenas
If that's the case, then why is CouchDB treating it as a security error, and
"fixing" it in 1.2.0? Change of heart?

~~~
daleharvey
CouchDB introduced new functionality that allows extra use cases, in
particular it can now handle npms use case in a secure manner, just because it
didnt handle npms use case before and npm decided to expose that information
does not mean it was ever couch's problem.

------
brown9-2
So just to be clear, this is only a problem for npm package maintainers/admins
right? Regular users of npm wouldn't have registry accounts. The headline
reads as if the npm client is the risk.

------
tomjen3
> Reset/change the password of any service that has the same password.

Well this bullshit has to stop. I use the same password on most 'low-risk'
sites, and I can't remember them all (can you remember all the blogs you have
signed up for?) so I can't 'change the password on all other sites because
CouchDB uses a retarded security scheme'.

~~~
drivebyacct2
Stop using the same password anywhere. There are password management system
that do encryption client side, have extensions for every major browser, have
mobile apps, support two-factor authentication, will prepopulate both
registration and login forms and more.

It's EASIER to use a password manager with very strong, unique passwords than
it is to not. Not to mention the eliminated risk of "where did I use this
password that just got leaked".

How many more leaks and how many more times do I have to repeat this to get
people to take it seriously. Every time people whine that it's too much work
(it's not, it seriously isn't) but they don't think about how much of a hassle
these leaks can be. NPM, PS3, BitCoin reserves, how many more diverse things
need to be hacked for people to realize that its simply a matter of time?

~~~
tomjen3
Do they work on all platforms (Linux, Windows, Android, MacOX and IOS)? Do
they automatically sync (so I don't end up being locked out of one account)?
Can I be sure they won't be shut down and thereby leave me cut of from all my
online services?

And what do I do when the password manager is, inevitably, broken into?

It seems to me that a password manager is a great theoretical idea, but they
don't really work in practice.

~~~
ceejayoz
> Do they work on all platforms (Linux, Windows, Android, MacOX and IOS)?

1password works on all of those except Linux. I believe LastPass works on all.

> Do they automatically sync?

1password syncs to Dropbox.

> Can I be sure they won't be shut down and thereby leave me cut of from all
> my online services?

Yes, if it syncs to something like Dropbox that has a local copy.

> And what do I do when the password manager is, inevitably, broken into?

The same thing you have to currently do if you're using one password
everywhere?

~~~
bhousel
1Password actually has, hidden inside the '1password.agilekeychain' folder, a
file called 1Password.html, which can be opened in any modern browser. So you
can actually get at your passwords from a Linux machine by opening this .html
file and supplying your master password.

I think they call this feature "1Password Anywhere".. I'm surprised they don't
talk about it more.

~~~
kyleslattery
Yes, I love this. I store my 1Password file in Dropbox, so in a pinch, I can
log into Dropbox on someone else's computer and grab any password I might
need.

------
mrduncan
CouchDB uses SHA-1 hashes for passwords - you've got to be kidding me. What is
the rationale for that over bcrypt?

~~~
tomjen3
Speed. Bcrypt is much slower.

~~~
pjscott
That's part of bcrypt's reason for existing. In order to protect against
brute-forcing stolen hashes, bcrypt has to be slow enough to make brute force
impractical. This isn't a bug; it's a necessary feature. If the server they're
running npm on is so old or so overloaded that the slowdown from using bcrypt
would even be particularly noticeable, then they have other problems.

~~~
tomjen3
Oh it can surely run bcrypt for a few users. The question is if it can run it
for a couple thousands a minute.

I am not so sure of that.

~~~
grandpoobah
It doesn't need to run it for a couple thousand a minute, there aren't that
many people registering with NPM at any given time.

~~~
tomjen3
Sure, but how many people are using it? You would need to verify the password
on each request (since you can't use browser cookies).

~~~
pjscott
The operations npm needs to log in for are a fairly small percentage of the
total. If you need to upload a new version of a package, then that takes a
password. If you just need to search for a package, or download its latest
version, those don't need authentication. The overhead from using proper slow
password hashing would be minimal.

And evidently the CouchDB guys agree with me, because they switched to using
PBKDF2 for password storage -- essentially, iterate SHA several thousand times
to make it slower.

------
shocks
Is it so unreasonable to force everyone to change their password?

------
doki_pen
Thundering herd problem with emails. Are there any email startups that can
help out? isaacs email is on OP link.

------
cheatercheater
Software which is supposed to be installed by running under sudo a shell
script wgetted from a site somewhere without ever reviewing it ends up leaking
all passwords.

As surprising as getting lice after you let a hobo sleep in your bed.

