[Mailman-Developers] Hashing member passwords in config.pck
John W. Baxter
jwblist at olympus.net
Mon Feb 14 19:48:52 CET 2005
On 2/12/2005 6:02, "Barry Warsaw" <barry at python.org> wrote:
> On Sat, 2005-02-12 at 02:07, Bob Puff wrote:
>
>> So let me ask this: if we drop passwords for everything but the private
>> archives, do we really need to do anything differently than the format
>> currently in place? Do they really need to be one-way encrypted? Being able
>> to email a forgotten password has its benefits.
>
> It's still worthwhile (in the long run) to hash the passwords. Some
> people tend to re-use them, so stealing Mailman passwords can
> potentially lead to cascading attacks. Password resets are fine.
>
I don't see how users remote from their normal email can make use of
password resets. Without the old password, how do they prove they should be
able to reset a subscriber's password? Thus they can't designate the new
password, nor learn the generated one, remotely.
I don't think the above kills the idea (I've changed my mind, with respect
to the private archives, from what I said earler).
--John
More information about the Mailman-Developers
mailing list