[Mailman-Developers] Password on the wire again!

Barry A. Warsaw barry@python.org
Sun, 4 Aug 2002 11:37:03 -0400

>>>>> "OW" == Ousmane Wilane <wilane@cyg.sn> writes:

    OW> Hi, Thought I had to followup on this:
    OW> http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012702.html

Thanks for the pointer.  I'm not on that list so I won't follow up to
that thread, but feel free to forward the following response.  Thanks!


-------------------- snip snip --------------------
Paul Robertson's followup in


is (mostly) right on target.  User passwords protect a primarily
low-value resource and the effects of an attack on a user password are
fairly easy to detect.  Mailman even tells you when you subscribe to a
list that the passwords will be sent in plaintext monthly reminders
and that you should not choose a valuable password.  Everyone reads
all the fine print, right? <wink>.

That being said, the next release of Mailman will allow uses to
inhibit their password reminders, so that should address the concerns
of Anton J Aylward.  Turning off password reminders means the only way
to get your password is to request it via the web or email command.
The default will still be to send reminders, for exactly the trade-off
in costs that Paul points out.

Two additional notes: list admin passwords are never sent in the
clear.  In fact, Mailman doesn't even store the list admin passwords
in plaintext; by default it stores list admin passwords as an md5,
crypt, or sha1 hash.  That's why list admins can't even request their
admin passwords and the only way to reset a forgotten admin password
is with the site password (also not kept in plaintext).  These higher
privileged password obviously protect more valuable resources, so
security for them is higher.

Then again, how many folks hide their Mailman admin interface behind
an https url? :)

Finally, in the both the current and future versions of Mailman, super
paranoid list owners can inhibit password reminders list-wide.  I
suspect few do though, because of the pain in answering "I forgot my
password" messages.  This may become more popular in future versions
though because I think that overwhelmingly, requests for passwords
come from folks who want to unsubscribe.  The next version will use
mailback confirmations for unsubscription requests, so most users will
likely never even need their passwords.