top | item 27613855

(no title)

What kind of database auth did you have? Wouldn't they have had to access config files or related in order to obtain your passwords, usernames, etc?

discuss

beermonster|4 years ago

I think by default mongodb has no enabled access control, so there is no default user or password.

vultour|4 years ago

Am I misunderstanding or do people launch their Mongo container without even MONGO_INITDB_ROOT_{USERNAME,PASSWORD}? It's clearly mentioned in the image README. Takes 15 seconds to set. I'd be incredibly concerned if anybody with more than a day of infrastructure experience did this, even worse on a production database.

pm90|4 years ago

How is this acceptable… requiring a password, even a weak one might have at least bought some time in this situation.

dheera|4 years ago

Mongo is so insecure that it's commonplace to not bother with usernames and passwords and just firewall the hell out of it instead. Plus that's one more plaintext password you'll end up storing all over the place. Its default configuration requires no authentication.

Not saying it's a good practice but it's a common pattern I've seen.