On Aug 16, 2011, at 8:31 PM, Noah Slater wrote: > > On 16 Aug 2011, at 10:33, Benoit Chesneau wrote: > >> Imo we shouldn't at all provide plaintext passwords. Maybe a safer >> option would be to let the admin create the first one via http or put >> the hash in the a password.ini file manually. If we are enough kind we >> could also provide a couchctl script allowing user management, config >> changes ... ? > > This sounds like a decent proposal. Much like you have to use htpasswd to > generate passwords for Apache httpd, we could bundle a script that lets you > generate passwords for the CouchDB ini files, and then forbid the use of > plaintext. This solves both the technical problem (I think?) and helps us > re-enforce better security practices across the board.
Agreed. Cheers Jan --
