- Security >
- Security Reference >
- Security Release Notes
Security Release Notes¶
Access to system.users
Collection¶
Changed in version 2.4.
In 2.4, only users with the userAdmin
role have access to the
system.users
collection.
In version 2.2 and earlier, the read-write users of a database all have
access to the system.users
collection, which contains the user
names and user password hashes. [1]
[1] | Read-only users do not have access
to the system.users collection. |
Password Hashing Insecurity¶
If a user has the same password for multiple databases, the hash will be the same. A malicious user could exploit this to gain access on a second database using a different user’s credentials.
As a result, always use unique username and password combinations for each database.
Thanks to Will Urbanski, from Dell SecureWorks, for identifying this issue.