[sf-lug] Yes, Mailman stores and sends the passwords in the clear: Re: Anyone here had any contact with Linu xChix.org?
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Sat Jun 8 08:00:10 PDT 2019
I'd actually typed up a more complete reply to the earlier,
then (mis)managed to drop it without saving or successfully
sending it ("oops"). Anyway, in brief(er):
Saving password in the clear is a bad idea; in general, it's also a bad
idea to save passwords in reversibly encrypted form. For those systems
that authenticate via a password - on the receiving/authenticating
(e.g. typically server) side of it, there's no reasons for
passwords to be there or for them to be in any decryptable form.
They should be securely and irreversibly hashed, etc.
As for saving in reversibly encrypted form - that might be needed,
e.g. for users somewhere, or their (typically) client software,
etc. - but that's completely separate and should be nowhere near
the system(s) (typically server side) that accept a password
(directly or indirectly) to authenticate the user.
GNU Mailman - sure, periodic (e.g. monthly) email to list can
generally be a good thing (e.g. list hygiene). But emailing
passwords - that's generally a bad thing (resets or reset passwords
via email, also far from ideal, but that's another topic).
From my searches/skims (to update/refresh wetware) regarding
GNU Mailman and passwords - it looks for the 2.x version
series (including current) - it's mostly or entirely a
"won't fix" regarding clear text passwords - even though
patch(es) have been submitted to change that(!) to having
passwords properly secured (securely one-way hashed, etc.,
not plain text, and related authentication adjustments)
... but sounds like the patches didn't (yet?) also include
stuff to change how the periodic reminder emails are done and
updating all the other reset mechanisms and the like.
Hey, y'all, it *is* Open Source ... one can always
fork and ...
In any case, sounds like GNU Mailman will *NOT*
"fix" this in the 2.x series, but probably will in
the 3.x version series. However, when, if ever, the 3.x
version series will come out sounds like an
open question.
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] Yes, Mailman stores and sends the passwords in
> the clear: Re: Anyone here had any contact with Linu xChix.org?
> Date: Sat, 8 Jun 2019 00:03:52 -0700
> Quoting Ehud Kaldor (ehud.kaldor at gmail.com):
>
>> The problem of resetting password has been solved a long time ago (and
>> relies on email!) so this feature is not really clear to me.
>>
>> I have no problem with periodic email. it is the practice of sending
>> passwords I was bringing up.
>
> Honestly, all I have is what I think are reasonable surmises about the
> reasons for that feature, e.g., my sense is that the (default) periodic
> reminder mails produce the benefits I mentioned upthread. If you really
> want the developers' take on that, though, there's no substitute for
> asking them. (The lead developer is Mark Sapiro.)
>
> You can find them from here:
> https://wiki.list.org/
More information about the sf-lug
mailing list