[Mailman-Developers] Hashing member passwords in config.pck

Thu Feb 10 19:41:09 CET 2005

Private mailing list archives.  Needed for that.

Adrian Bye wrote:

> Why even bother with passwords?  They're good to include in the unsubscribe URL,
> so that if someone maliciously gets your list, they can't unsubscribe everyone
> manually.  But mainstream commercial autoresponders have no passwords, and they
> work great.
> 
> Sure, it _is_ possible that someone could cause problems, which a password
> prevents. But in practice this rarely happens.  We're not talking the 80/20 rule
> - we're talking the 99.99/0.01 rule.
> 
> Your average user is over burdened with passwords, and most mailing lists are
> pretty low involvement - users don't want to have to remember another password
> just for a mailing list.
> 
> I've actually had some changes to my mailman install made so that users can
> unsubscribe without a password - I'll share the code next week so you can take a
> look at it.  We also shorted the unsubscribe URLs so it was below 60 chars,
> ensuring that it would work more reliably and not get broken on some mail
> clients.
> 
> Getting rid of passwords would open up mailman to usage to a much wider range of
> users, which should mean more development resources and interest.
> 
> 
>>-----Original Message-----
>>From: Bob Puff at NLE [mailto:bob at nleaudio.com] 
>>Sent: Thursday, February 10, 2005 2:30 PM
>>To: Barry Warsaw
>>Cc: mailman-developers at python.org
>>Subject: Re: [Mailman-Developers] Hashing member passwords in 
>>config.pck
>>
>>I've -always- disabled the monthly reminders, so that would 
>>be no great loss.
>>
>>If we convert to one-way passwords, could the upgrade script 
>>convert the current passwords?  It would be a -big- deal if 
>>everyone had to reset their passwords.
>>
>>Bob
>>
>>Barry Warsaw wrote:
>>
>>
>>>I think CAN-2005-0202 gives us the opportunity to finally implement 
>>>what we have long considered an embarrassing exposure in Mailman's 
>>>config.pck databases.  Member passwords are kept in this 
>>
>>database in the clear.
>>
>>>The obvious fix is to hash member passwords and keep only 
>>
>>the hash in 
>>
>>>the database.
>>>
>>>We haven't changed this before now for two reasons:
>>>
>>>1. We would have to regenerate all member passwords, which is an 
>>>administrative burden.  We might also need to implement 
>>
>>checks to see 
>>
>>>if the passwords were cleartext or hashed and do the password 
>>>comparison accordingly.
>>>
>>>2. This breaks all password reminders.
>>>
>>>To fully address CAN-2005-0202 we're recommending sites regenerate 
>>>their member passwords anyway, so this gives us an opening 
>>
>>to fix this 
>>
>>>properly.  And we have a better internal password generator now too.
>>>
>>>As for #2, well, I think most people hate those password reminders 
>>>anyway, and we've decided that they are going away for MM3. 
>>
>> I don't 
>>
>>>think many people would shed too many tears if we killed 
>>
>>off monthly 
>>
>>>password reminders for 2.1.6.  Doing that would also eliminate the 
>>>requirement for the site list, since its primary purpose is to 
>>>function as the sender of the reminder messages.
>>>
>>>To do this for 2.1.6, we'd have to change the "Email My 
>>
>>Password To Me"
>>
>>>feature in the options page and in the member login page.  
>>
>>These would 
>>
>>>have to become a "create a new password for me" feature.  Also, 
>>>crontab.in should not call mailpasswds anymore, or that 
>>
>>script should 
>>
>>>turn into a simple "here's the lists you are on" reminder, 
>>
>>without the 
>>
>>>password information in it.  This will require i18n updates too.
>>>
>>>The downside to doing this now is that it's more coding 
>>
>>work for 2.1.6 
>>
>>>and I'd like to get the new version out asap.  Still, this 
>>
>>seems like 
>>
>>>an opportunity that we shouldn't lightly dismiss.
>>>
>>>What do you all think?  Is anybody willing to take a crack 
>>
>>at a patch 
>>
>>>for this?
>>>
>>>-Barry
>>>
>>>
>>>
>>>
>>
>>----------------------------------------------------------------------
>>
>>>--
>>>
>>>_______________________________________________
>>>Mailman-Developers mailing list
>>>Mailman-Developers at python.org
>>>http://mail.python.org/mailman/listinfo/mailman-developers
>>>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>>>Searchable Archives: 
>>>http://www.mail-archive.com/mailman-users%40python.org/
>>>Unsubscribe: 
>>>
>>
>>http://mail.python.org/mailman/options/mailman-developers/bob%40nleaud
>>
>>>io.com
>>
>>_______________________________________________
>>Mailman-Developers mailing list
>>Mailman-Developers at python.org
>>http://mail.python.org/mailman/listinfo/mailman-developers
>>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>>Searchable Archives: 
>>http://www.mail-archive.com/mailman-users%40python.org/
>>Unsubscribe: 
>>http://mail.python.org/mailman/options/mailman-developers/adri
>>an%40tasdevil.com
>>
>>
> 
> 
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com
> 