User Accounts and Passwords source file

Hi,

Is there a possibility to get the username and password from couchdb of all users, and compile it. I am doing some data investigation that will need there accounts.

Does it possible to find in the database? like the username and the password that is not encrypted?

Thanks.

@Marcelo_De_Guzman - Hi there!

Short answer is no: there’s no way to get a password for an existing user from the _users database in CouchDB. You can change it a new value if that helps though!

Long answer is that while it is easy to get a list of usernames, it is impossible to get a list of passwords. For example, I just created two users named test1 and test2 - they both have the identical password Medic321. When login as the CouchDB admin user, then I browse to Fauxton’s UI at /utils/, I can see all my users in the _users database:

org.couchdb.user:test1	org.couchdb.user:test1	{ "rev": "1-223a9e3048689562404ece2a130e7c9d" }	
org.couchdb.user:test2	org.couchdb.user:test2	{ "rev": "1-49c3e891b0481383464f769672a6148b" }

But when I open each record and look at the value of the derived_key for user you’ll see these values which are both different from each other and not at all Medic321:

  • test1 - 3a96d10de424e615a144f0ac02261060809ecb49
  • test2 - a5f15512ea5565cfe9e99744532f1b8e04f0cb40

This is because each password is securely and irrevocably scrambled. Technically this is called a hash and it is created by taking a random string (the salt) and combining it with the password and then using the pbkdf2 hashing algorithm to hash it. This is intentionally a very one way process.

When a user logs in, CouchDB first checks if there’s a matching username, and if there is, it retrieves the salt. It then hashes the salt and the provided password and checks the freshly calculated hash against the stored hash. If it matches, you’re allowed to log in.

You can read more about this process on CouchDB’s docs.

1 Like

+1 to what @mrjones said - don’t trust any system that lets you retrieve your password because it means it’s not being stored securely.

Assuming you have access to the administrator role, you should be able to access all data directly, without requiring user passwords. What data are you investigating?