This issue is about using something else than plain SHA hashing for: a) password hashing in couchdb configuration file, eg. local.ini, b) password hashing in _users database on disk storage. Cookie authentication hash method probably has a vulnerability as well, but that is something separate to solve and it is not what I wrote about here. Also I am not talking about online authentication attacks which are done through remotely exposed interfaces, but offline attacks that are possible when hashed passwords are obtained by some means.
If access restrictions to _users database and configuration file are in place, the passwords stored there might just as well be in plaintext - which would be fine by me. Yet they aren't, which leads me to believe somebody thinks there is some actual security given by the hash method used in those places by CouchDB.
So, to be clearer in my suggestion, I suggest the either of two options:
1) use a standard slow hash function instead of current SHA-1 solution for storing passwords
2) store passwords in plaintext, encoded in base64 (to prevent accidental exposure if shown to an admin)
The current solution gives users a false sense of security and gains very little in practice.