[Mailman-Developers] [Fwd: [vendor-sec] Weak auto-generated passwords in Mailman]

Bob Puff at NLE bob at nleaudio.com
Wed Dec 22 21:06:20 CET 2004

While I agree that on the average, the passwords aren't that critical, I do have a few lists that 
are set to require the admin's approval for subscription.  Here, security is a little tighter.

I do routinely disable the monthly password reminders though - there's enough in the web admin that 
people can retrieve their passwords if they really need them.


JC Dill wrote:
> Florian Weimer wrote:
>> Last time I checked, Mailman lables its member-only archives
>> "private", and the implicit promise to keep things posted to the list
>> private is not kept if the software assigns easily guessed to new
>> members.
>> I can only repeat that Mailman's current behavior surprises your users
>> *a* *lot*,
> I disagree.
> So called "private" archives are only kept from prying eyes until those 
> eyes subscribe at which time they are then visible.  As I see it, the 
> point of Mailman's security measures is not to keep anyone "else" from 
> ever viewing the archives, it is to keep random web browsers and web 
> spiders from accessing the archives.  If someone has the ability to 
> script a password guessing algorithm to try to guess an acceptable 
> username/password pair to access the archives, they can more easily 
> script a program to subscribe, confirm, and then access the archives as 
> a subscriber.  Plus, no matter how simple or secure the password, if you 
> are scripting a password cracker then it's just a matter of time, the 
> more easily guessed password is cracked *faster* (on average) but even 
> "secure" passwords will be cracked eventually.
> If your mailing list archives need greater security than this, then you 
> need a different system.  I don't think it is necessary or useful for 
> Mailman to be the system that meets those needs, especially at the cost 
> of making Mailman less useful for others who don't need such strong 
> security measures for their list archives.
>> and leads to security breaches.
> I would love to see a cite for your claim of "leads to security 
> breaches".  Do you know of actual cases where someone has gained access 
> to private archives by cracking a mailman generated semi-random password 
> rather than by simply subscribing, or by gaining access to a single 
> password thru intercept or social engineering means?
> jc
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com 

More information about the Mailman-Developers mailing list