Jeffrey Walton writes:
The best I can tell, the Mailman threat model is naive or unrealistic.
It's neither. It merely corresponds to a very low level of security, and you are told that when you subscribe.
There are at least three threats which should be modeled.
"Should". Why? And why just these?
First is unknown attackers who are breaking into systems and harvesting {user name, email. password} tuples. As a user, I got nailed when GNU's Savannah was hacked.
I reused a password (bad dog!),
Indeed, and AFAIK if you can get access to a database of as few as 100 MD5-encrypted passwords, a modern PC can probably crack at least one with a dictionary attack within a few hours. Given the quality of most of my own passwords, given an attacker with a $5000 machine I doubt that "salted SHA256" would make that stretch by more than a couple hours. Encryption only helps a little bit, most likely the people who reuse passwords also have relatively weak ones, and the password may not be the most valuable part of such a tuple in any case.
The second threat is the system administrator. I understand a sysadmin must be trusted, but why is he or she trusted so much that they are entitled to plain text passwords?
Because they can get them anyway with wireshark or an appropriate Mailman Handler? (Avoiding this attack is left as an exercise for the reader, as well as identifying the security issues introduced or not handled at all by the more obvious "solutions".)
The third threat is government. Any government can compel a list administrator to give up his or her {user name/email/password} list *if* the list operated within its jurisdiction.
And more secure password lists help here just how? Cf. http://www.jwz.org/gruntle/rbarip.html.
These are not theoretical threats. They happen in practice, and happen too frequently.
And the real solution is obvious. Don't use passwords at all, although that doesn't help with security of the user name and email lists.
The fact is, Google and Savannah don't care about security of their users enough to provide more security than the users do themselves.
RMS has been quite open about it on several occasions when push came to shove: it was more important that GNU systems use free software than that they be secure. And for Google, security is just a matter of financial calculus: if they screw up in public, it will cost them so many users and indirectly so much ad revenue, etc.
If they *did* care more than the users do, they'd use a public key solution and prohibit passwords.
So to answer the security level question: store a salted hash of the password using SHA-224/256 or Whirlpool. The use of SHA-2 or Whirlpool stems from NIST [1,2] and ECRYPT [3] recommendations on algorithm strengths. With a salted hash (using an appropriate hash function), list managers don't need to do any research or configurations, and I don't have to worry about hackers, system administrators, or most government attacks.
Speaking of "naive". The passwords are protected (but not fully protected against system admins), but the lists aren't. Do you realize just what kind of trouble some poor lady could be in if you let the addresses on your "battered wives" list leak? "Dead" is well within the realm of possibility!
Now, that may not be *your* problem, but it does put "paid" to this claim:
Finally, it makes more sense to fix the problem in one place (Mailman source code, by the Mailman developers) rather than 10,000 places (each Mailman installation, by every Mailman list manager).
That would be true if there were a "the problem". There isn't. There are 10,000 problems, each a little different. There are problems, each a little different, 10,000 of them. There are 10,000 problems, each differing a little. ....