These passwords should not be recoverable; because they should be only stored as a one-way salted hash with n rounds.

Passlib has a number of password hashing functions:

- https://passlib.readthedocs.io/en/stable/

https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/


Is this fixed in Mailman3?

http://www.list.org/download.html

http://www.list.org/devs.html #security lists:

mailman-security@python.org

as the seclist for mailman.


Mailman 2 src:
https://launchpad.net/mailman

Mailman 3 src:
https://gitlab.com/groups/mailman



On Saturday, September 23, 2017, Steve Barnes <gadgetsteve@live.co.uk> wrote:
I personally was very disappointed on signing up to the both this
mailing list & security-announce to receive back an email containing my
password in plain text with the promise of the same thing once a month
unless I changed settings on the mail man site..

I would have thought that a security related list could provide better
default practices than that!

Is anybody else concerned about the idea?

Steve Barnes.




---
This email has been checked for viruses by AVG.
http://www.avg.com