Firewall Wizards mailing list archives
RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw)
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sun, 4 Aug 2002 14:21:22 -0400 (EDT)
[Apologies for the full quoting, but the original was MIMEd and I let it through anyway, so this is the easy way for people who's mail clients don't like MIME and all those behind content filters to read Barry's reply.] On Sun, 4 Aug 2002, Ousmane Wilane wrote:
Date: Sun, 4 Aug 2002 11:37:03 -0400 From: Barry A. Warsaw <barry () python org> To: wilane () cyg sn Cc: mailman-developers () python org Subject: Re: [Mailman-Developers] Password on the wire again!"OW" == Ousmane Wilane <wilane () cyg sn> writes:OW> Hi, Thought I had to followup on this: OW> http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012702.html Thanks for the pointer. I'm not on that list so I won't follow up to that thread, but feel free to forward the following response. Thanks! -Barry -------------------- snip snip -------------------- Paul Robertson's followup in http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012703.html is (mostly) right on target. User passwords protect a primarily low-value resource and the effects of an attack on a user password are fairly easy to detect. Mailman even tells you when you subscribe to a list that the passwords will be sent in plaintext monthly reminders and that you should not choose a valuable password. Everyone reads all the fine print, right? <wink>. That being said, the next release of Mailman will allow uses to inhibit their password reminders, so that should address the concerns of Anton J Aylward. Turning off password reminders means the only way to get your password is to request it via the web or email command. The default will still be to send reminders, for exactly the trade-off in costs that Paul points out.
If the Web or mail command allows a password fetch, wouldn't a link to the password fetching page be better than sending the actual password? For the category of user who needs that much help, the link will be followable in their HTMLizing mail client anyway... It seems to me that if there's a "If you've forgotten your list password" link in the mail by default, and people can make the choice to send the passwords, we'd have the best of both worlds. Is the decision already set, or can we grumble about it somewhere easy (like the Wiki at Zope.org perhaps?)
Two additional notes: list admin passwords are never sent in the clear. In fact, Mailman doesn't even store the list admin passwords in plaintext; by default it stores list admin passwords as an md5, crypt, or sha1 hash. That's why list admins can't even request their admin passwords and the only way to reset a forgotten admin password is with the site password (also not kept in plaintext). These highe
By default, "newlist" mails the list admin their list's password in every version of mailman I've run- and I just installed the latest version on a test box to confirm it, here's a snippet of the output: ---------------------------------------------------------------------- The mailing list `test' has just been created for you. The following is some basic information about your mailing list. Your mailing list password is: password You need this password to configure your mailing list. You also need it to handle administrative requests, such as approving mail if you choose to run a moderated list. -------------------------------------------------------------------------- Here's the session: -------------------------------------------------------------------------- # ./newlist test Enter the email of the person running the list: proberts () patriot net Initial test password: Entry for aliases file: ## test mailing list ## created: 04-Aug-2002 root test: "|/home/mailman/mail/wrapper post test" test-admin: "|/home/mailman/mail/wrapper mailowner test" test-request: "|/home/mailman/mail/wrapper mailcmd test" test-owner: test-admin Hit enter to continue with test owner notification... ----------------------------------------------------------------------- One "Enter" and the list admin password is sent in the clear. I'm not saying this is a bad decision, heck- I use it, but it's certainly not intuitive without reading the documentation[1] (and probably not ideal.)
come from folks who want to unsubscribe. The next version will use mailback confirmations for unsubscription requests, so most users will likely never even need their passwords.
Add the ability to eaily add an unsubscribe link to the top of the list page, and you'll have me owing you beers. Getting back to my original discussion with Anton- would you accept patches in this area if someone wanted to have Mailman "do the right thing" out of the box with passwords, or is it pretty much "should be this high to admin Mailman?" Thanks for your response, Paul [1] Not reading the documentation isn't an excuse IMO, but there will be thouse who inherit installations with scripted "Web forms" for creating lists. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Ousmane Wilane (Aug 04)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Paul D. Robertson (Aug 04)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Barry A. Warsaw (Aug 05)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Paul D. Robertson (Aug 05)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Barry A. Warsaw (Aug 05)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Barry A. Warsaw (Aug 05)
- Message not available
- DNS cache Dave Piscitello (Aug 06)
- Re: DNS cache Martin (Aug 06)
- DNS cache Dave Piscitello (Aug 06)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Paul D. Robertson (Aug 04)