[Bug 266821] Re: privacy hole in password reminder
Amedee Van Gasse
amedee-launchpad at amedee.be
Mon May 23 15:29:52 CEST 2011
The problem isn't plain text emailed passwords.
The *real* problem is storing plain text passwords on the server that runs mailman.
If that server gets compromised, the attacker has a list of email addresses and passwords.
I guess you all heard about the recent problems with Sony's Playstation Network (PSN). One of the biggest problems there was that Sony stored plain text passwords. If you Google for "plain text passwords", you will see thousands of articles that advise against it, and none that recommend it. Storing plain text passwords in a database is a security antipattern.
Passwords should always be one-way encrypted (hashed), and preferably
well salted.
This is a website that shames Plain Text Offenders: http://plaintextoffenders.com/
Mailman should be added to that website, and Ubuntu should add a very clear security warning to Mailman. Other (more secure) mailing list software should be advised, or a more secure (patched) version (MM 2.1, 3.0, whatever) should be used.
Canonical/Ubuntu itself currently uses Mailman for it's community
mailing lists (ubuntu-users etc...). This should be seriously evaluated.
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/266821
Title:
privacy hole in password reminder
More information about the Mailman-coders
mailing list