[SAC] Fwd: passwords being sent in clear text
Hamish
hamish_b at yahoo.com
Mon Jul 1 16:09:29 PDT 2013
Zac wrote:
> yet another round of passwords just got sent out in plaintext
a reminder that any subscriber can go into their mailman settings and
turn off the monthly reminders by hand, and tick the 'apply to all
lists at this site' checkbox while they're at it.
seeing the ML passwords are being sent out as plain text, they must
also be stored in plain text on the server, and so are inherently
unsafe & you should never (re)use an important password for the
mailing lists anyway. So with that in consideration I'd suggest the
best short-term approach is to put a warning on the mailing list
signups not to use something you want to keep super-secret. It
wouldn't exactly instill a sense of trust in our products from new
users, but it would be the truth.
As to monthly reminders being on or off by default, I'd lean on the
side of off-by-default, my main point though is that it's not the
whole of the issue.
regards,
Hamish
More information about the Sac
mailing list