[Bug 266821] Re: privacy hole in password reminder

[Mats Ahlgren]

The following major security issues also exist:

- If an email account is compromised, an attacker (or even an automated
virus) can easily gather all passwords. This would *NOT* happen if no
reminders were sent, nor would it happen if the classic "answer the
security questions to receive a password reset form" strategy were used.

- Additionally, once the attacker has the dozens of passwords one might
use for various mailman lists, the attack can attempt to use those
passwords on other websites or computer systems (e.g. SSH) in automated
attacks. The most basic attack would merely use the password, but more
sophisticated attacks can use the passwords as seeds in an automated
cracker.

> Mark Sapiro: "Are you aware of an attack that would enable this?"
- As the original poster wrote: the password reminders are in plaintext. As far as I know, aren't all email messages sent in plaintext that thus absolutely trivial to eavesdrop on? All the attack would need is a compromised relay on the internet, which I hear is getting more common these days. Just run one of the many network-traffic-monitoring programs and listen for the string "password".

-- 
privacy hole in password reminder
https://bugs.launchpad.net/bugs/266821
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.