This version of the documentation is archived and no longer supported.

Security Release Notes

Access to system.users Collection

Changed in version 2.4.

In 2.4, only users with the userAdmin role have access to the system.users collection.

In version 2.2 and earlier, the read-write users of a database all have access to the system.users collection, which contains the user names and user password hashes. [1]

[1]Read-only users do not have access to the system.users collection.

Password Hashing Insecurity

If a user has the same password for multiple databases, the hash will be the same. A malicious user could exploit this to gain access on a second database using a different user’s credentials.

As a result, always use unique username and password combinations for each database.

Thanks to Will Urbanski, from Dell SecureWorks, for identifying this issue.