Bugs item #209499, was opened at 2000-07-13 20:26 Message generated for change (Comment added) made by msapiro You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=209499&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Closed Resolution: Wont Fix Priority: 5 Private: No Submitted By: L. Peter Deutsch (lpd) Assigned to: Nobody/Anonymous (nobody) Summary: Security hole: passwords mailed in clear Initial Comment: I recently signed up on a SourceForge mailing list. The software mailed a confirmation notice to my mailbox, with the password in clear in the message. This is a basic security hole. I reported this as a SourceForge bug, and they said "Contact the gnu-mailman project." In my opinion, passwords should never be mailed in clear, especially not to the e-mail address with which they are associated. Please consider changing this. ----------------------------------------------------------------------

Comment By: Mark Sapiro (msapiro) Date: 2007-03-01 10:44

Message: Logged In: YES user_id=1123998 Originator: NO This will finally be fixed in Mailman 2.2. ---------------------------------------------------------------------- Comment By: Benjamin Bl�mchen (bburkhart) Date: 2006-11-26 11:23 Message: Logged In: YES user_id=597317 Originator: NO Hello everyone, to me, mailing passwords in clear text is never acceptable. In some setups. one never knows who else is looking at the mail. The lack of biological RAM in layer 8 is also not an excuse. There are better ways of dealing with the password remembering problem. Anyway, mailman is now out of question and also uninstalled from my machine. Cheers Benjamin ---------------------------------------------------------------------- Comment By: L. Peter Deutsch (lpd) Date: 2000-07-23 23:31 Message: It's OK with me if you want to close this report; in my opinion, the Resolution should say "Wont fix". ---------------------------------------------------------------------- Comment By: Thomas Wouters (twouters) Date: 2000-07-17 02:43 Message: The Mailman password is in no way a secure password. Mailman is intended for a wide variety of users, most of which are unable to remember even the simplest password ;) The Mailman password is not used as an authentication method, but more as a *confirmation* method. You'll get a password reminder every month or so (if the list admin and site admin enabled that) and the only thing you use the password for are for unsubscribing, changing your options and viewing the private archive (if any.) In future versions of Mailman it might be possible to use external passwords for mailinglist subscribers, but currently the infrastructure for that is missing. It's on the TODO list, in any case :) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=209499&group_id=103