[sdiy] Password reminders are now off

[Rick Jansen]

No, you can do all this without ever sending a plain text password via mail, or storing it in a readable format. The web interface is https, so encrypted too. I'll look into a mailman update.

In the mean time, please don't use a password here that will give access to private data, anywhere else.

r.

> On 30 Sep 2015, at 07:19, mskala at ansuz.sooke.bc.ca wrote:
> 
>> On Tue, 29 Sep 2015, Rick Jansen wrote:
>> Never noticed it, but Mailman sends password reminders with your password in plain text, every month. I have now switched that off.
>> 
>> (I'll see if a newer version does this more cleverly..)
> 
> I think it may be the right thing.  You're going to have to send the
> password back in plain text to use it anyway; and any forgotten-password
> recovery mechanism would normally depend on your receiving a token by
> email, which would be equally vulnerable to interception.  This is not
> high security, but not much better is possible for a system that operates
> over unencrypted email.  That's why the instructions are full of warnings
> not to use a valuable password.  Also note that someone's list-management
> account for a public mailing list is not really an attractive target -
> unauthorized access to it means an attacker can unsubscribe you, and
> basically that's all.  If they can read your email, they can do other much
> more damaging and tempting things.
> 
> Weighing it against the annoyance all mailing lists routinely experience
> from people writing their "please unsubscribe me" requests to humans on
> the list and ignoring the instructions on how to control their own
> subscriptions themselves, I think there's a lot of value in making sure
> people are frequently reminded of their own list-management passwords.
> 
> -- 
> Matthew Skala
> mskala at ansuz.sooke.bc.ca                 People before principles.
> http://ansuz.sooke.bc.ca/