[mhotchen]

I wouldn't call it a bastion of security but MySQL typically installs with a root user with no password. So how do they not have the same level of exposed data? By default only local connections are allowed. If Mongo had the same pattern then this whole calamity could have been avoided whilst still allowing the ease of setting up on local environments.

[malka]

IIRC, even if you enable remote connection, the passwordless login is still only authorized locally.

[mhotchen]

Yeah good point, you're right. The root user is defined as root@localhost, not root@%.

[Fnoord]

Has that always been the case?

[agopaul]

On what distro/OS? On Ubuntu you get to pick the root password during installation

[mhotchen]

On Ubuntu specifically if you do the quiet option (for example as part of an automated script) then it will leave it blank. Even with the prompt it says it's optional but encouraged.