[sdiy] Password reminders are now off

Rick Jansen rick.jansen at xs4all.nl
Wed Sep 30 18:43:28 CEST 2015 

Well, mailman 2.10 still keeps passwords in plain text.
It's not my preference either, but I cannot change it.
I'll look at mailman 3 later.

Meanwhile:
- automatic password reminders are off
- don't use precious passwords for synth-diy (although it is a precious pw in itself)

rick

On 30/09/2015 16:44, Rick Jansen wrote:
> No, you can do all this without ever sending a plain text password via mail, or storing
> it in a readable format. The web interface is https, so encrypted too. I'll look into a
> mailman update.
>
> In the mean time, please don't use a password here that will give access to private
> data, anywhere else.
>
> r.
>
>> On 30 Sep 2015, at 07:19, mskala at ansuz.sooke.bc.ca wrote:
>>
>>> On Tue, 29 Sep 2015, Rick Jansen wrote: Never noticed it, but Mailman sends
>>> password reminders with your password in plain text, every month. I have now
>>> switched that off.
>>>
>>> (I'll see if a newer version does this more cleverly..)
>>
>> I think it may be the right thing.  You're going to have to send the password back in
>> plain text to use it anyway; and any forgotten-password recovery mechanism would
>> normally depend on your receiving a token by email, which would be equally vulnerable
>> to interception.  This is not high security, but not much better is possible for a
>> system that operates over unencrypted email.  That's why the instructions are full of
>> warnings not to use a valuable password.  Also note that someone's list-management
>> account for a public mailing list is not really an attractive target - unauthorized
>> access to it means an attacker can unsubscribe you, and basically that's all.  If
>> they can read your email, they can do other much more damaging and tempting things.
>>
>> Weighing it against the annoyance all mailing lists routinely experience from people
>> writing their "please unsubscribe me" requests to humans on the list and ignoring the
>> instructions on how to control their own subscriptions themselves, I think there's a
>> lot of value in making sure people are frequently reminded of their own
>> list-management passwords.
>>
>> -- Matthew Skala mskala at ansuz.sooke.bc.ca                 People before principles.
>> http://ansuz.sooke.bc.ca/
>

More information about the Synth-diy mailing list