Feature Requests item #1441723, was opened at 2006-03-03 00:48 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350103&aid=1441723&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: dmvianna (dmvianna) Assigned to: Nobody/Anonymous (nobody) Summary: privacy hole in password reminder Initial Comment: Mailman sends me password reminders in plain text. I can disable this feature, but other users can manually make it send a reminder just as if I had forgot the password, with no other question being asked. If smart enough to intercept that message, the attacker could: 1) Get my password; 2) get my IP in the mail header. Possible solutions: 1) Some sites and programs use a "secret question" which right answer would give the user the chance to get a password reminder. 2) The password could be prompted in a secure html page. I find this safer, as compared to plain text mails. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350103&aid=1441723&group_id=103