[Mailman-Developers] Hashing member passwords in config.pck

[Chuq Von Rospach]

On Feb 10, 2005, at 7:02 AM, Barry Warsaw wrote:

> I think CAN-2005-0202 gives us the opportunity to finally implement 
> what
> we have long considered an embarrassing exposure in Mailman's 
> config.pck
> databases.  Member passwords are kept in this database in the clear.
> The obvious fix is to hash member passwords and keep only the hash in
> the database.

+1

> As for #2, well, I think most people hate those password reminders
> anyway,

yes. we have some folks on our lists who send us monthly "why haven't 
you stopped doing this yet?" messages. it'd almost be amusing, if it 
weren't so annoying... (grin)

> To do this for 2.1.6, we'd have to change the "Email My Password To Me"
> feature in the options page and in the member login page.  These would
> have to become a "create a new password for me" feature.

+1

> The downside to doing this now is that it's more coding work for 2.1.6
> and I'd like to get the new version out asap.  Still, this seems like 
> an
> opportunity that we shouldn't lightly dismiss.
>

get the patch out with 2.1.6, then do 2.1.7 with the new password 
stuff. I think that's reasonable.