[sf-lug] Yes, Mailman stores and sends the passwords in the clear: Re: Anyone here had any contact with Linu xChix.org?
Ehud Kaldor
ehud.kaldor at gmail.com
Thu Jun 6 19:54:33 PDT 2019
Agree with everything you wrote. One thing I'm still not clear on is *why*
you need to send password reminders monthly (or at any period). The problem
of resetting password has been solved a long time ago (and relies on
email!) so this feature is not really clear to me.
That said, yes - I do understand I signed the EULA without reading it
thoroughly :)
My initial email was mislabeled as I thought it is the site itself that
does that, and I was looking to maybe bring that to the awareness of the
store owners, who might have missed it.
On Thu, Jun 6, 2019, 18:24 Michael Paoli <Michael.Paoli at cal.berkeley.edu>
wrote:
> Yes, Mailman stores and sends the passwords in the clear.
> As far as I'm aware, that's a long established
> (mis-?) feature of Mailman, and though it's been oft
> requested to change that, as far as I'm aware they've thus
> far got no intention of changing it. But feel free to
> check/research to see if that's changed.
> Storing passwords in the clear - or reversibly encrypted,
> is considered a "bad thing" ... however, its necessary if one
> is going to send periodic (e.g. monthly) password reminders
> of the current password ... as Mailman is quite capable of.
> One can disable that if one wishes, and list admins can also change
> that or the default. But regardless, Mailman stores that in the
> clear. To its credit, it does explicitly tell one to not use
> a valuable/important password ... because, well, it stores the
> Mailman list passwords in the clear.
>
> Can't exactly say it didn't tell 'ya. ;-)
> ... but folks tend to forget, often having subscribed, months,
> years, even decades earlier.
>
> > From: "Akkana Peck" <akkana at shallowsky.com>
> > Subject: Re: [sf-lug] Anyone here had any contact with Linu xChix.org?
> > Date: Thu, 6 Jun 2019 15:55:24 -0600
>
> > Ehud Kaldor writes:
> >> i am registered on it, and it seems it's saving passwords in clear, and
> the
> >> monthly mailer daemon sends them in clear email :(
> >>
> >>
> >> This is a reminder, sent out once a month, about your linuxchix.org
> >> mailing list memberships. It includes your subscription info and how
> >> to use it to change it or unsubscribe from a list.
> > [ ... ]
> >
> > Doesn't Mailman always do that? Every Mailman list I'm on does
> > things that way, and I don't even know if Mailman has any other
> > way of doing things. The list page mentions that explicitly:
> > https://www.linuxchix.org/content/join-our-email-lists-or-read-archives
> > as do the subscription pages for each list ("Do not use a valuable
> > password as it will occasionally be emailed back to you in cleartext.")
> >
> > Doesn't this sf-lug list do the same thing? I don't seem to
> > have any saved Mailman notices for sf-lug, but svlug and balug
> > (as well as a zillion other technical lists I'm on) send the same
> > cleartext reminders.
> >
> > I don't know why Mailman does things that way, but it's definitely
> > not a LinuxChix specific problem.
> >
> > ...Akkana
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190606/4ac232c9/attachment-0001.html>
More information about the sf-lug
mailing list