Private mailing list archives. Needed for that.
Adrian Bye wrote:
Why even bother with passwords? They're good to include in the unsubscribe URL, so that if someone maliciously gets your list, they can't unsubscribe everyone manually. But mainstream commercial autoresponders have no passwords, and they work great.
Sure, it _is_ possible that someone could cause problems, which a password prevents. But in practice this rarely happens. We're not talking the 80/20 rule
- we're talking the 99.99/0.01 rule.
Your average user is over burdened with passwords, and most mailing lists are pretty low involvement - users don't want to have to remember another password just for a mailing list.
I've actually had some changes to my mailman install made so that users can unsubscribe without a password - I'll share the code next week so you can take a look at it. We also shorted the unsubscribe URLs so it was below 60 chars, ensuring that it would work more reliably and not get broken on some mail clients.
Getting rid of passwords would open up mailman to usage to a much wider range of users, which should mean more development resources and interest.
-----Original Message----- From: Bob Puff@NLE [mailto:bob@nleaudio.com] Sent: Thursday, February 10, 2005 2:30 PM To: Barry Warsaw Cc: mailman-developers@python.org Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck
I've -always- disabled the monthly reminders, so that would be no great loss.
If we convert to one-way passwords, could the upgrade script convert the current passwords? It would be a -big- deal if everyone had to reset their passwords.
Bob
Barry Warsaw wrote:
I think CAN-2005-0202 gives us the opportunity to finally implement what we have long considered an embarrassing exposure in Mailman's config.pck databases. Member passwords are kept in this
database in the clear.
The obvious fix is to hash member passwords and keep only
the hash in
the database.
We haven't changed this before now for two reasons:
- We would have to regenerate all member passwords, which is an administrative burden. We might also need to implement
checks to see
if the passwords were cleartext or hashed and do the password comparison accordingly.
- This breaks all password reminders.
To fully address CAN-2005-0202 we're recommending sites regenerate their member passwords anyway, so this gives us an opening
to fix this
properly. And we have a better internal password generator now too.
As for #2, well, I think most people hate those password reminders anyway, and we've decided that they are going away for MM3.
I don't
think many people would shed too many tears if we killed
off monthly
password reminders for 2.1.6. Doing that would also eliminate the requirement for the site list, since its primary purpose is to function as the sender of the reminder messages.
To do this for 2.1.6, we'd have to change the "Email My
Password To Me"
feature in the options page and in the member login page.
These would
have to become a "create a new password for me" feature. Also, crontab.in should not call mailpasswds anymore, or that
script should
turn into a simple "here's the lists you are on" reminder,
without the
password information in it. This will require i18n updates too.
The downside to doing this now is that it's more coding
work for 2.1.6
and I'd like to get the new version out asap. Still, this
seems like
an opportunity that we shouldn't lightly dismiss.
What do you all think? Is anybody willing to take a crack
at a patch
for this?
-Barry
--
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/bob%40nleaud
io.com
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/adri an%40tasdevil.com
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com