[Mailman-Developers] automatically generated password too complicated?

Gerhard Gonter gonter@maestria.wu-wien.ac.at
Tue, 20 Apr 1999 20:21:54 +0200 (MES)

Some of our users complained about the automatically generated
passwords that are sent out when a list is imported or if an admin
subscribes someone.  Especially the ` and ^ characters are major
problem because these may be treated as parts of composite characters
in some enviroments (` followed by a might be displayed as the same
character as à in HTML) and so on.  Also, upper case characters
impose an extra mental burden ;)

Anyway, I modified our Mailman which now has a function (method?)

which generates passwords of the given length with a restricted
alphabet, namely: a-x, 2-9, excluding characters o and l as well
as digits 0 and 1 which may be confused and y, z (german keyboards
swap these, in the past, this cause trouble too ;)

I would like to offer this patch unless there are good reasons why this
should be avoided.  The main concern is certainly a higher risk to
crack such passwords (only 30 possibilities instead of 64) but this
could easly be matched by using 5 character passwords:

  possibilities      strength
  64^4 = 16777216    1
  30^4 =   810000    0.05
  30^5 = 24300000    1.45

As far as I have seen, this patch involves replacing certain calls to
GetRandomSeed in a few places such as:
  bin/add_members, Mailman/Cgi/admin.py, Mailman/MailCommandHandler.py

Any comment?

Gerhard.Gonter@wu-wien.ac.at  Fax: +43/1/31336/702  g.gonter@ieee.org
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria