[Mailman-Users] Re: cleartext passwords

[alex wetmore]

From: "Tom Neff" <tneff at bigfoot.com>
> I do NOT think that cleartext passwords should be mailed out en masse
as
> part of a monthly reminder cycle.  That is, over time, going to
degrade
> security and user confidence in the product.

Mailman passwords should not be considered secure.  They are only a
minor feature to prevent others from unsubscribing you.  The signup
pages clearly say that users should not use valuable passwords.  Most
people aren't running their mailman web over SSL, so the passwords are
sent back to the server in cleartext.

I do wish that Mailman had the option to just have confirmation email
for any list configuration changes.  This would be simpler for most
users (especially since most of my users do the "send my password to me"
to unsub anyway).

alex