[Mailman-Users] mailman passwords

Mark Sapiro mark at msapiro.net
Sat May 9 23:16:59 CEST 2009

bob 001 wrote:
>Do we have any setting where we can set maximum retries for wrong
>password before it locks the account or something like that?


>isn't it otherwise easily breakable via bots by trying different
>passwords to the same web url.

It depends on the strength of the password. Consider a password
consisting of 10 randomly chosen upper/lower case letters and digits.
There are over 8 * 10^17 such passwords. On average random guessing
requires 4 * 10^17 guesses. Even if the round trip web response time
is 1 msec, and it's probably much longer that that, it takes 4 * 10^14
seconds or over 12 million years to try that many guesses. And, if
someone is hitting your server that hard, you'd probably notice.

And what's the payoff for cracking a list password? Maybe the ability
to send one large blast of spam before the list is shut down.

>How'z experts here controlling this piece of security?

By using strong passwords.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list