[Mailman-Developers] config.pck password encryption inconsistencies

Dave Dewey ddewey at cyberthugs.com
Thu Dec 9 15:43:35 CET 2004

Quoting Barry Warsaw (barry at python.org):

> Correct.  Mailman does not encrypt or hash member passwords, and they
> are stored in the clear in the config.pck file (this is actually not
> good, but it's the way it is).  Owner and moderator passwords are
> generally hashed, typically these days with sha1.  I have no idea where
> your passwords are getting changed.

Gotcha.  I believe that's where I was drawing my erroneous conclusions from.
I only have information about my own passwords, and they are clearly
encrypted since I know what the values are.  My own accounts are ALSO all
either owners or moderators, so that explains it perfectly.  The rest of the
users passwords were either values I could recognize and therefore were
cleartext passwords or random strings, and it's impossible to tell whether
those are encrypted or just random by simply looking at them.  I now assume
they are random.

Thanks for the information!  I did see the references to the sha1 encryption
in the code, further drawing me down the wrong path.  Case closed...


More information about the Mailman-Developers mailing list