--On 9 July 2010 12:11:50 +0200 Anna Granudd <anna.granudd@gmail.com> wrote:
Hi, when subscribing a user or creating a list in Mailman 3.0 we need to implement the use of a password for security reasons. Later the same password will be used for logging in to the settings pages. At the moment passwords are not handled at all which is why I filed bug #600780 (see [1]). However, we're not sure how to handle the passwords at the moment and would like your help with ideas and possible ways to implement this, which is why I want to start a discussion about the password handling/ login function. What do we need to think of and how should this best be dealt with?
Most importantly, passwords must be securely hashed, so that they can't be read by the site or list admins, or by third parties.
That means that password resets must be offered to users, instead of password reminders.
Also, for sites like mine, it would be nice to have more than one password store. For example, I'd like to have users with addresses in the sussex.ac.uk domain authenticated against my current LDAP db, but non-local users authenticate against some other db (perhaps a different branch of the LDAP tree, but perhaps something local).
Thanks, Anna
[1] https://bugs.launchpad.net/mailman/+bug/600780
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.a c.uk
Security Policy: http://wiki.list.org/x/QIA9
-- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/