(meta) Mailman cleartext passwords
When I signed up, I got an email with subject: Welcome to the "Python-ideas" mailing list It included the text: ====================================================================== You must know your password to change your options (including changing the password, itself) or to unsubscribe without confirmation. It is: my-cleartext-password ====================================================================== This has bugged me about Mailman in the past... luckily I used a low-tier password for this (I know, I should use a unique password). But some users will use a password which is valuable to them. Should this "feature" be turned off for new subscribers? -- Tom Hale
On 5/14/19 5:35 AM, Tom Hale wrote:
As someone who runs a Mailman list for non-technical users, I will say that this feature also bothers me a bit, but the problems that come by disabling it are worse. First, there is a notice right on the signup form that this will happen, so users have been warned. If they are reusing passwords, the fact that the list has a copy of the password and emails it out is likely NOT among the highest risks to their security, and perhaps the perceived breach might get them to change. The emailing of the password in plain text isn't that big of a security issue for most people. Yes, if someone is reading your email you have a problem, but that is not the risk for most people, and if they can do that, then likely you are already in a security compromised situation. As explained on the Mailman site, the possible risk to a user of having their Mailman subscription 'hacked' is small, the biggest danger is you could be unsubscribed. Mailman 3 has changed the behavior and uses the more standard password reset mechanism than the password being sent. In the not to distant future, hopefully Mailman 3 will be in a state where migrating a Mailman 2 list to it will be a reasonable course of action. I also find it amazing how many people forget what email address they signed up with, so for a list that requires one to be subscribed to submit messages, this can be important, so the periodic sending of the subscription details is important, as otherwise someone needs to search through the subscribed database to figure out how they were subscribed. (I would suggest that most lists want the subscribed list to be accessible only by a few trusted individuals to avoid scraping for spamming.) -- Richard Damon
On 5/14/19 5:35 AM, Tom Hale wrote:
As someone who runs a Mailman list for non-technical users, I will say that this feature also bothers me a bit, but the problems that come by disabling it are worse. First, there is a notice right on the signup form that this will happen, so users have been warned. If they are reusing passwords, the fact that the list has a copy of the password and emails it out is likely NOT among the highest risks to their security, and perhaps the perceived breach might get them to change. The emailing of the password in plain text isn't that big of a security issue for most people. Yes, if someone is reading your email you have a problem, but that is not the risk for most people, and if they can do that, then likely you are already in a security compromised situation. As explained on the Mailman site, the possible risk to a user of having their Mailman subscription 'hacked' is small, the biggest danger is you could be unsubscribed. Mailman 3 has changed the behavior and uses the more standard password reset mechanism than the password being sent. In the not to distant future, hopefully Mailman 3 will be in a state where migrating a Mailman 2 list to it will be a reasonable course of action. I also find it amazing how many people forget what email address they signed up with, so for a list that requires one to be subscribed to submit messages, this can be important, so the periodic sending of the subscription details is important, as otherwise someone needs to search through the subscribed database to figure out how they were subscribed. (I would suggest that most lists want the subscribed list to be accessible only by a few trusted individuals to avoid scraping for spamming.) -- Richard Damon
participants (2)
-
Richard Damon -
Tom Hale