Firewall Wizards mailing list archives
RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw)
From: Ousmane Wilane <wilane () cyg sn>
Date: Sun, 4 Aug 2002 15:56:52 +0000
--- Begin Message --- From: barry () python org (Barry A. Warsaw)
Date: Sun, 4 Aug 2002 11:37:03 -0400
"OW" == Ousmane Wilane <wilane () cyg sn> writes:OW> Hi, Thought I had to followup on this: OW> http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012702.html Thanks for the pointer. I'm not on that list so I won't follow up to that thread, but feel free to forward the following response. Thanks! -Barry -------------------- snip snip -------------------- Paul Robertson's followup in http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012703.html is (mostly) right on target. User passwords protect a primarily low-value resource and the effects of an attack on a user password are fairly easy to detect. Mailman even tells you when you subscribe to a list that the passwords will be sent in plaintext monthly reminders and that you should not choose a valuable password. Everyone reads all the fine print, right? <wink>. That being said, the next release of Mailman will allow uses to inhibit their password reminders, so that should address the concerns of Anton J Aylward. Turning off password reminders means the only way to get your password is to request it via the web or email command. The default will still be to send reminders, for exactly the trade-off in costs that Paul points out. Two additional notes: list admin passwords are never sent in the clear. In fact, Mailman doesn't even store the list admin passwords in plaintext; by default it stores list admin passwords as an md5, crypt, or sha1 hash. That's why list admins can't even request their admin passwords and the only way to reset a forgotten admin password is with the site password (also not kept in plaintext). These higher privileged password obviously protect more valuable resources, so security for them is higher. Then again, how many folks hide their Mailman admin interface behind an https url? :) Finally, in the both the current and future versions of Mailman, super paranoid list owners can inhibit password reminders list-wide. I suspect few do though, because of the pain in answering "I forgot my password" messages. This may become more popular in future versions though because I think that overwhelmingly, requests for passwords come from folks who want to unsubscribe. The next version will use mailback confirmations for unsubscription requests, so most users will likely never even need their passwords. Cheers, -Barry
--- End Message ---
-- Ousmane WIlane wilane () omnet sn << People who have imaginary enemies are called 'paranoid.'People who have enemies that they think are imaginary are called 'victims.'It's often hard to tell the two apart until its too late. >> << Bill Blunden, Phrack 0x0b/0x3b/#0x03 >>
Current thread:
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Ousmane Wilane (Aug 04)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Paul D. Robertson (Aug 04)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Barry A. Warsaw (Aug 05)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Paul D. Robertson (Aug 05)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Barry A. Warsaw (Aug 05)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Barry A. Warsaw (Aug 05)
- Message not available
- DNS cache Dave Piscitello (Aug 06)
- Re: DNS cache Martin (Aug 06)
- DNS cache Dave Piscitello (Aug 06)
- RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw) Paul D. Robertson (Aug 04)