RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw)

["Paul D. Robertson" <proberts () patriot net>]

[Apologies for the full quoting, but the original was MIMEd and I let it 
through anyway, so this is the easy way for people who's mail clients 
don't like MIME and all those behind content filters to read Barry's 
reply.]

On Sun, 4 Aug 2002, Ousmane Wilane wrote:

> Date: Sun, 4 Aug 2002 11:37:03 -0400
> From: Barry A. Warsaw <barry () python org>
> To: wilane () cyg sn
> Cc: mailman-developers () python org
> Subject: Re: [Mailman-Developers] Password on the wire again!
>
>
> > > > > > "OW" == Ousmane Wilane <wilane () cyg sn> writes:
>
>    OW> Hi, Thought I had to followup on this:
>    OW> http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012702.html
>
> Thanks for the pointer.  I'm not on that list so I won't follow up to
> that thread, but feel free to forward the following response.  Thanks!
>
> -Barry
>
> -------------------- snip snip --------------------
> Paul Robertson's followup in
>
> http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012703.html
>
> is (mostly) right on target.  User passwords protect a primarily
> low-value resource and the effects of an attack on a user password are
> fairly easy to detect.  Mailman even tells you when you subscribe to a
> list that the passwords will be sent in plaintext monthly reminders
> and that you should not choose a valuable password.  Everyone reads
> all the fine print, right? <wink>.
>
> That being said, the next release of Mailman will allow uses to
> inhibit their password reminders, so that should address the concerns
> of Anton J Aylward.  Turning off password reminders means the only way
> to get your password is to request it via the web or email command.
> The default will still be to send reminders, for exactly the trade-off
> in costs that Paul points out.

If the Web or mail command allows a password fetch, wouldn't a link to the 
password fetching page be better than sending the actual password?  For 
the category of user who needs that much help, the link will be followable 
in their HTMLizing mail client anyway...  It seems to me that if there's a 
"If you've forgotten your list password" link in the mail by default, and 
people can make the choice to send the passwords, we'd have the best of 
both worlds.

Is the decision already set, or can we grumble about it somewhere easy 
(like the Wiki at Zope.org perhaps?)

> Two additional notes: list admin passwords are never sent in the 
> clear.  In fact, Mailman doesn't even store the list admin passwords
> in plaintext; by default it stores list admin passwords as an md5,
> crypt, or sha1 hash.  That's why list admins can't even request their
> admin passwords and the only way to reset a forgotten admin password
> is with the site password (also not kept in plaintext).  These highe

By default, "newlist" mails the list admin their list's password in every 
version of mailman I've run- and I just installed the latest version on a 
test box to confirm it, here's a snippet of the output:

----------------------------------------------------------------------
The mailing list `test' has just been created for you.  The following
is some basic information about your mailing list.

Your mailing list password is:

    password

You need this password to configure your mailing list.  You also need
it to handle administrative requests, such as approving mail if you
choose to run a moderated list.
--------------------------------------------------------------------------
Here's the session:

--------------------------------------------------------------------------
# ./newlist test
Enter the email of the person running the list: proberts () patriot net
Initial test password: 
Entry for aliases file:

## test mailing list
## created: 04-Aug-2002 root
test:                    "|/home/mailman/mail/wrapper post test"
test-admin:              "|/home/mailman/mail/wrapper mailowner test"
test-request:            "|/home/mailman/mail/wrapper mailcmd test"
test-owner:              test-admin

Hit enter to continue with test owner notification...
-----------------------------------------------------------------------

One "Enter" and the list admin password is sent in the clear.  I'm not 
saying this is a bad decision, heck- I use it, but it's certainly not 
intuitive without reading the documentation[1] (and probably not ideal.)

> come from folks who want to unsubscribe.  The next version will use
> mailback confirmations for unsubscription requests, so most users will
> likely never even need their passwords.

Add the ability to eaily add an unsubscribe link to the top of the list 
page, and you'll have me owing you beers.

Getting back to my original discussion with Anton- would you accept 
patches in this area if someone wanted to have Mailman "do the right 
thing" out of the box with passwords, or is it pretty much "should be this 
high to admin Mailman?"

Thanks for your response,

Paul
[1] Not reading the documentation isn't an excuse IMO, but there will be 
thouse who inherit installations with scripted "Web forms" for creating 
lists.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards