[Mailman-Developers] Hashing member passwords in config.pck

[Mark Sapiro]

John W. Baxter wrote:
>
>If the situation becomes a choice of
>1.  mail out the password becomes generate a new time-limited password and
>mail that
>Or
>2.  do away with passwords and have everything validated via a mailed-out
>URL
>
>I think I as a user would prefer 2.

It is already hard enough to visit a private archive. E.g. if I have a
link to a specific post and I follow it, by the time I get done
logging in, my original link is forgotten and I go to the archive
index instead.

If I now have to wait for an e-mail and follow some confirmation link,
I'm going to give up before I ever get there.

I think there has to be a way to get directly to a private archive
without going through some e-mailed confirmation. I might even be
trying to access the archive from some machine that doesn't have
access to the confirmation e-mail (perhaps a computer in a public
library).

I agree that for most other things, e-mail confirmation is fine. I.e.
if I go to my options page and change a few things, I don't mind
having to answer an e-mail confirmation to make the changes effective,
although I'm sure some would have privacy concerns about others being
able to visit their options page without authorization.

Thus, on the whole I prefer passwords. Having to reset a forgotten
password rather than being able to retrieve it would not be a problem
for me.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan