[SAC] Fwd: passwords being sent in clear text

Eli Adam eadam at co.lincoln.or.us
Sat Dec 1 11:27:37 PST 2012 

On Sat, Dec 1, 2012 at 11:14 AM, Alex Mandel <tech_dev at wildintellect.com>wrote:

> I have not seen such a request before. I will note that the behavior is
> the same for every mailman list I'm subscribed to on the web. I don't
> think mailing list preference passwords are typically considered secure.
>
> That said, it's not a bad idea to research options to make it more secure.
>
> Quick search says, we should simply disable the monthly reminders.
> Supposedly updates to mailman years ago should have moved to hashed
> passwords and not auto-mailing them, but I don't see any evidence that
> those patches were ever released.
>

It may be good policy to universally disable this.

Right now the user already has complete control and can make their own
decisions.

Copied from logging into an OSGeo list:

*Get password reminder email for this list?*

Once a month, you will get an email containing a password reminder for
every list at this host to which you are subscribed. You can turn this off
on a per-list basis by selecting *No* for this option. If you turn off
password reminders for all the lists you are subscribed to, no reminder
email will be sent to you.
No
Yes

*Set globally*

Is this thread about universally establishing good policy for all users or
helping 1 user change their settings to how they like them?

Eli


>
> Thanks,
> Alex
>
> On 12/01/2012 10:07 AM, Paul Ramsey wrote:
> > Do you guys get a lot of these? This is just mailman being mailman,
> > but it's the second irate "you have a security problem" mail I've
> > gotten in just a couple months.
> > p
> >
> >
> >
> >
> > I just got a "reminder" email from mailman-owner at lists.osgeo.org about
> > my subscription information. You are listed on the website as the
> > maintainer. The reminder e-mail contains my e-mail address and
> > listserv password sent in clear text. It even contains the word
> > "password" which is one of the first things a packet sniffing cracker
> > would filter on. This is clearly a security issue. Please fix this.
> > _______________________________________________
> > Sac mailing list
> > Sac at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/sac
> >
>
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20121201/5540f141/attachment.html>

More information about the Sac mailing list