[Mailman-Users] Re: cleartext passwords
tneff at bigfoot.com
Mon Oct 2 17:27:55 CEST 2000
I do NOT think that cleartext passwords should be mailed out en masse as
part of a monthly reminder cycle. That is, over time, going to degrade
security and user confidence in the product.
Passwords should only be sent in response to an explicit user request. If
it has to be sent in cleartext, well, you asked for it. If it is possible
to send it encrypted instead (perhaps using a key that the user pastes into
a textarea box on the password request page) then that should be supported.
The monthly reminder (which is a trifle annoying - I now get a flock of them
every first on the month) should, at most, contain a URL for the user
profile page, which includes a button to request an emailed password if the
user has forgotten it.
More information about the Mailman-Users