Quoting Barry Warsaw (barry@python.org):
Correct. Mailman does not encrypt or hash member passwords, and they are stored in the clear in the config.pck file (this is actually not good, but it's the way it is). Owner and moderator passwords are generally hashed, typically these days with sha1. I have no idea where your passwords are getting changed.
Gotcha. I believe that's where I was drawing my erroneous conclusions from. I only have information about my own passwords, and they are clearly encrypted since I know what the values are. My own accounts are ALSO all either owners or moderators, so that explains it perfectly. The rest of the users passwords were either values I could recognize and therefore were cleartext passwords or random strings, and it's impossible to tell whether those are encrypted or just random by simply looking at them. I now assume they are random.
Thanks for the information! I did see the references to the sha1 encryption in the code, further drawing me down the wrong path. Case closed...
dave