[Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)

Larry Stone lstone19 at stonejongleux.com
Fri Jan 20 22:17:40 CET 2012


On Thu, 19 Jan 2012, Geoff Mayes wrote:

> If Mailman 
> provided a way around the passwords in the clear issue, I'm pretty sure 
> we'd go with Mailman ...

My personal opionion is Mailman passwords are so insignificant that it 
really shouldn't be an issue. On the other hand, I recognize that you may 
have direction from above that because it's called a "password", it needs 
to be ulta-secure (there are, unfortunately, too many bosses who don't 
understand security and don't understand that different types of systems 
have different security needs). How much damage could be done if a Mailman 
user password was compromised? How much damage could be done if my on-line 
banking password was compromised? The answers are very different yet there 
are many who want them secured in the same way.

I so rarely use a Mailman password that I don't even try to remember it. 
If I need to use it on a Mailman system, I have it send it to me, use it, 
then forget it.

If someone wants to mess up my subscription on a Mailman system, well, go 
ahead. I have far more important things in life to worry about.

Also, consider how many other times passwords are sent in the clear, just 
not in email. A snail mail with a password is also a "password sent in the 
clear" yet few seem to have a problem with that. Maybe because I practice 
good password managment, I am less concerned about an email being snooped 
than I am about snail mail theft or privileged access abuses.

I would not worry about Mailman passwords being sent in the clear and 
instead, urge users to use good password practices. For Mailman, encourage 
them to let Mailman assign a password (and thereby, not reuse a PW). 
Because no matter what you do, people will reuse passwords, use the same 
password for low and high security needs, use easy-to-guess passwords, 
write them down, and other things that just make Mailman's password 
concerns the least of your organization's security concerns.

-- Larry Stone
    lstone19 at stonejongleux.com


More information about the Mailman-Users mailing list