[Mailman-Developers] Hashing member passwords in config.pck
Bob Puff at NLE
bob at nleaudio.com
Thu Feb 10 19:41:09 CET 2005
Private mailing list archives. Needed for that.
Adrian Bye wrote:
> Why even bother with passwords? They're good to include in the unsubscribe URL,
> so that if someone maliciously gets your list, they can't unsubscribe everyone
> manually. But mainstream commercial autoresponders have no passwords, and they
> work great.
>
> Sure, it _is_ possible that someone could cause problems, which a password
> prevents. But in practice this rarely happens. We're not talking the 80/20 rule
> - we're talking the 99.99/0.01 rule.
>
> Your average user is over burdened with passwords, and most mailing lists are
> pretty low involvement - users don't want to have to remember another password
> just for a mailing list.
>
> I've actually had some changes to my mailman install made so that users can
> unsubscribe without a password - I'll share the code next week so you can take a
> look at it. We also shorted the unsubscribe URLs so it was below 60 chars,
> ensuring that it would work more reliably and not get broken on some mail
> clients.
>
> Getting rid of passwords would open up mailman to usage to a much wider range of
> users, which should mean more development resources and interest.
>
>
>>-----Original Message-----
>>From: Bob Puff at NLE [mailto:bob at nleaudio.com]
>>Sent: Thursday, February 10, 2005 2:30 PM
>>To: Barry Warsaw
>>Cc: mailman-developers at python.org
>>Subject: Re: [Mailman-Developers] Hashing member passwords in
>>config.pck
>>
>>I've -always- disabled the monthly reminders, so that would
>>be no great loss.
>>
>>If we convert to one-way passwords, could the upgrade script
>>convert the current passwords? It would be a -big- deal if
>>everyone had to reset their passwords.
>>
>>Bob
>>
>>Barry Warsaw wrote:
>>
>>
>>>I think CAN-2005-0202 gives us the opportunity to finally implement
>>>what we have long considered an embarrassing exposure in Mailman's
>>>config.pck databases. Member passwords are kept in this
>>
>>database in the clear.
>>
>>>The obvious fix is to hash member passwords and keep only
>>
>>the hash in
>>
>>>the database.
>>>
>>>We haven't changed this before now for two reasons:
>>>
>>>1. We would have to regenerate all member passwords, which is an
>>>administrative burden. We might also need to implement
>>
>>checks to see
>>
>>>if the passwords were cleartext or hashed and do the password
>>>comparison accordingly.
>>>
>>>2. This breaks all password reminders.
>>>
>>>To fully address CAN-2005-0202 we're recommending sites regenerate
>>>their member passwords anyway, so this gives us an opening
>>
>>to fix this
>>
>>>properly. And we have a better internal password generator now too.
>>>
>>>As for #2, well, I think most people hate those password reminders
>>>anyway, and we've decided that they are going away for MM3.
>>
>> I don't
>>
>>>think many people would shed too many tears if we killed
>>
>>off monthly
>>
>>>password reminders for 2.1.6. Doing that would also eliminate the
>>>requirement for the site list, since its primary purpose is to
>>>function as the sender of the reminder messages.
>>>
>>>To do this for 2.1.6, we'd have to change the "Email My
>>
>>Password To Me"
>>
>>>feature in the options page and in the member login page.
>>
>>These would
>>
>>>have to become a "create a new password for me" feature. Also,
>>>crontab.in should not call mailpasswds anymore, or that
>>
>>script should
>>
>>>turn into a simple "here's the lists you are on" reminder,
>>
>>without the
>>
>>>password information in it. This will require i18n updates too.
>>>
>>>The downside to doing this now is that it's more coding
>>
>>work for 2.1.6
>>
>>>and I'd like to get the new version out asap. Still, this
>>
>>seems like
>>
>>>an opportunity that we shouldn't lightly dismiss.
>>>
>>>What do you all think? Is anybody willing to take a crack
>>
>>at a patch
>>
>>>for this?
>>>
>>>-Barry
>>>
>>>
>>>
>>>
>>
>>----------------------------------------------------------------------
>>
>>>--
>>>
>>>_______________________________________________
>>>Mailman-Developers mailing list
>>>Mailman-Developers at python.org
>>>http://mail.python.org/mailman/listinfo/mailman-developers
>>>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>>>Searchable Archives:
>>>http://www.mail-archive.com/mailman-users%40python.org/
>>>Unsubscribe:
>>>
>>
>>http://mail.python.org/mailman/options/mailman-developers/bob%40nleaud
>>
>>>io.com
>>
>>_______________________________________________
>>Mailman-Developers mailing list
>>Mailman-Developers at python.org
>>http://mail.python.org/mailman/listinfo/mailman-developers
>>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>>Searchable Archives:
>>http://www.mail-archive.com/mailman-users%40python.org/
>>Unsubscribe:
>>http://mail.python.org/mailman/options/mailman-developers/adri
>>an%40tasdevil.com
>>
>>
>
>
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com
>
More information about the Mailman-Developers
mailing list