[sdiy] Password reminders are now off
mskala at ansuz.sooke.bc.ca
mskala at ansuz.sooke.bc.ca
Wed Sep 30 07:19:53 CEST 2015
On Tue, 29 Sep 2015, Rick Jansen wrote:
> Never noticed it, but Mailman sends password reminders with your password in plain text, every month. I have now switched that off.
>
> (I'll see if a newer version does this more cleverly..)
I think it may be the right thing. You're going to have to send the
password back in plain text to use it anyway; and any forgotten-password
recovery mechanism would normally depend on your receiving a token by
email, which would be equally vulnerable to interception. This is not
high security, but not much better is possible for a system that operates
over unencrypted email. That's why the instructions are full of warnings
not to use a valuable password. Also note that someone's list-management
account for a public mailing list is not really an attractive target -
unauthorized access to it means an attacker can unsubscribe you, and
basically that's all. If they can read your email, they can do other much
more damaging and tempting things.
Weighing it against the annoyance all mailing lists routinely experience
from people writing their "please unsubscribe me" requests to humans on
the list and ignoring the instructions on how to control their own
subscriptions themselves, I think there's a lot of value in making sure
people are frequently reminded of their own list-management passwords.
--
Matthew Skala
mskala at ansuz.sooke.bc.ca People before principles.
http://ansuz.sooke.bc.ca/
More information about the Synth-diy
mailing list