[SAC] Fwd: passwords being sent in clear text

Seven (aka Arnulf) seven at arnulf.us
Sun Dec 2 04:56:51 PST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SAC,
I'll make a motion to turn off the reminders in a separate mail.

The argumentation is in this mail (ignore in case you don't want to
bother).


Thanks for bringing this up. I have been using mailman for so long
that I do not see these things anymore. Unfortunately it is a broader
issue, I'll try to expand here.

New people will potentially use their "secure" password trusting that
we deal with it in a secure manner. Which we (or rather mailman)
obviously don't! Therefore we can obviously not continue proceeding as
we did so far. More inline.

On 12/01/2012 07:38 PM, Alex Mandel wrote:
> On 12/01/2012 11:27 AM, Eli Adam wrote:
>> On Sat, Dec 1, 2012 at 11:14 AM, Alex Mandel
>> <tech_dev at wildintellect.com>wrote:
>> 
>>> I have not seen such a request before. I will note that the
>>> behavior is the same for every mailman list I'm subscribed to
>>> on the web. I don't think mailing list preference passwords are
>>> typically considered secure.
>>> 
>>> That said, it's not a bad idea to research options to make it
>>> more secure.
>>> 
>>> Quick search says, we should simply disable the monthly
>>> reminders. Supposedly updates to mailman years ago should have
>>> moved to hashed passwords and not auto-mailing them, but I
>>> don't see any evidence that those patches were ever released.
>>> 
>> 
>> It may be good policy to universally disable this.
>> 
>> Right now the user already has complete control and can make
>> their own decisions.
>> 
>> Copied from logging into an OSGeo list:
>> 
>> *Get password reminder email for this list?*
>> 
>> Once a month, you will get an email containing a password
>> reminder for every list at this host to which you are subscribed.
>> You can turn this off on a per-list basis by selecting *No* for
>> this option. If you turn off password reminders for all the lists
>> you are subscribed to, no reminder email will be sent to you. No 
>> Yes
>> 
>> *Set globally*
>> 
>> Is this thread about universally establishing good policy for all
>> users or helping 1 user change their settings to how they like
>> them?
>> 
>> Eli
>> 
>> 
>>> 
> 
> Universal good policy. Users seem to expect the default to be that
> a password is somewhat secure (even if its not true or they are
> told it isn't so).

The very concept of "password" is security. Therefore in my opinion we
cannot just say that we don't deal with it in secure ways. We know
that people do not bother to read terms-of-service or any other
fineprint (http://tos-dr.info)

> Note I have not seen a way to do this for all lists at once, might
> need to be done 1 list at a time. I have also failed to find where 
> to set it to store encrypted passwords.

To do this properly our system would have to send a one time token in
a link to our website and ask the user to interactively change the
password. Any sending around of passwords via mail is a no-go.

> Yes, users can opt out of the reminders themselves, I have my
> doubts users will ever find/see that.

Correct. But even if people turn it off we would still not have a safe
way of resetting user passwords because we should not have it in
unencrypted form anywhere on our system anyway.

> I'll note password notification can be requested from the list page
> at any time by any user who needs it, so disabling the reminders
> loses no functionality.

Yes, but we are still not secure at all when we send it unencrypted
via email.

> Some have noted that mailman for regular users shouldn't even
> bother with passwords as everything could be done via email
> verification (things sent to the email address).

This is probably the only right way of doing it. What implications
will this have on our Spam issues? We do need to have a certain
barrier of entry making sure that humans with some intention can get
into a mailing list, even if only to prevent automated spam.

What do we lose? A monthly reminder that this list exists and that you
are subscribed to it. Is that something we cannot afford to miss?

> Any mailman admins up for trying to change the settings? Perhaps 
> changing the default value for new list creation too?

I support deactivating reminders. Lets see if anybody else has
something to say that we might have forgotten. If not I suggest to
switch this setting off maybe in a week, if necessary I will go through

We can't be the only ones with this problem?!

Cheers,
Arnulf

> Thanks, Alex _______________________________________________ Sac
> mailing list Sac at lists.osgeo.org 
> http://lists.osgeo.org/mailman/listinfo/sac
> 


- -- 
Seven of Nine
http://arnulf.us/Seven
Exploring Body, Space and Mind
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC7UBEACgkQXmFKW+BJ1b38nQCfY3w3smo3H4IN7zvZsSlGZ+Tp
5CAAmgLgV4Er3ZsvxGrroVFX++J1Bo/5
=Ppc3
-----END PGP SIGNATURE-----

More information about the Sac mailing list