[SAC] Fwd: passwords being sent in clear text

Alex Mandel tech_dev at wildintellect.com
Sat Dec 1 11:38:57 PST 2012 

On 12/01/2012 11:27 AM, Eli Adam wrote:
> On Sat, Dec 1, 2012 at 11:14 AM, Alex Mandel <tech_dev at wildintellect.com>wrote:
> 
>> I have not seen such a request before. I will note that the behavior is
>> the same for every mailman list I'm subscribed to on the web. I don't
>> think mailing list preference passwords are typically considered secure.
>>
>> That said, it's not a bad idea to research options to make it more secure.
>>
>> Quick search says, we should simply disable the monthly reminders.
>> Supposedly updates to mailman years ago should have moved to hashed
>> passwords and not auto-mailing them, but I don't see any evidence that
>> those patches were ever released.
>>
> 
> It may be good policy to universally disable this.
> 
> Right now the user already has complete control and can make their own
> decisions.
> 
> Copied from logging into an OSGeo list:
> 
> *Get password reminder email for this list?*
> 
> Once a month, you will get an email containing a password reminder for
> every list at this host to which you are subscribed. You can turn this off
> on a per-list basis by selecting *No* for this option. If you turn off
> password reminders for all the lists you are subscribed to, no reminder
> email will be sent to you.
> No
> Yes
> 
> *Set globally*
> 
> Is this thread about universally establishing good policy for all users or
> helping 1 user change their settings to how they like them?
> 
> Eli
> 
> 
>>

Universal good policy. Users seem to expect the default to be that a
password is somewhat secure (even if its not true or they are told it
isn't so). Note I have not seen a way to do this for all lists at once,
might need to be done 1 list at a time. I have also failed to find where
to set it to store encrypted passwords.

Yes, users can opt out of the reminders themselves, I have my doubts
users will ever find/see that. I'll note password notification can be
requested from the list page at any time by any user who needs it, so
disabling the reminders loses no functionality.

Some have noted that mailman for regular users shouldn't even bother
with passwords as everything could be done via email verification
(things sent to the email address).

Any mailman admins up for trying to change the settings? Perhaps
changing the default value for new list creation too?

Thanks,
Alex

More information about the Sac mailing list