[Mailman-Developers] [Fwd: [vendor-sec]
Weak auto-generated passwords in Mailman]
Bob Puff at NLE
bob at nleaudio.com
Wed Dec 22 21:06:20 CET 2004
While I agree that on the average, the passwords aren't that critical, I do have a few lists that
are set to require the admin's approval for subscription. Here, security is a little tighter.
I do routinely disable the monthly password reminders though - there's enough in the web admin that
people can retrieve their passwords if they really need them.
JC Dill wrote:
> Florian Weimer wrote:
>> Last time I checked, Mailman lables its member-only archives
>> "private", and the implicit promise to keep things posted to the list
>> private is not kept if the software assigns easily guessed to new
>> I can only repeat that Mailman's current behavior surprises your users
>> *a* *lot*,
> I disagree.
> So called "private" archives are only kept from prying eyes until those
> eyes subscribe at which time they are then visible. As I see it, the
> point of Mailman's security measures is not to keep anyone "else" from
> ever viewing the archives, it is to keep random web browsers and web
> spiders from accessing the archives. If someone has the ability to
> script a password guessing algorithm to try to guess an acceptable
> username/password pair to access the archives, they can more easily
> script a program to subscribe, confirm, and then access the archives as
> a subscriber. Plus, no matter how simple or secure the password, if you
> are scripting a password cracker then it's just a matter of time, the
> more easily guessed password is cracked *faster* (on average) but even
> "secure" passwords will be cracked eventually.
> If your mailing list archives need greater security than this, then you
> need a different system. I don't think it is necessary or useful for
> Mailman to be the system that meets those needs, especially at the cost
> of making Mailman less useful for others who don't need such strong
> security measures for their list archives.
>> and leads to security breaches.
> I would love to see a cite for your claim of "leads to security
> breaches". Do you know of actual cases where someone has gained access
> to private archives by cracking a mailman generated semi-random password
> rather than by simply subscribing, or by gaining access to a single
> password thru intercept or social engineering means?
> Mailman-Developers mailing list
> Mailman-Developers at python.org
More information about the Mailman-Developers