[Lab] Plain text password
lpaseen at gmail.com
Wed Nov 4 10:28:29 EST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
> I just noticed that the database for the modlab mailing list keeps
> passwords in plain text rather than a salted hash.
When you signed up you should have seen something like
"You may enter a privacy password below. This provides only mild
security, but should prevent others from messing with your subscription.
Do not use a valuable password as it will occasionally be emailed back
to you in cleartext."
(at least if you used http://artengine.ca/mailman/listinfo/lab)
note the "may", if no password is entered a random one is created and
that's normally what I do.
It's an old discussion about it at
- From one of those posts:
"The best I can tell, your expectations for Mailman's security and the
software authors' expectations are completely different. As has already
been explained, it is a low level of security designed to prevent (maybe
I should just say discourage) mischief. It is not intended to be as
secure as what secures your bank accounts. If your Mailman password is
compromised, what is the most damage that can be done? Very little."
> Does it keep a history of passwords?
since you can put same psw as new psw I can't see it having history
> Could I have all my passwords
> scrubed from the data base?
quick check on my own mailman list I see the psw in
/var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
to go is to change your password to some random string.
> Lab mailing list
> 1. subscribe http://artengine.ca/mailman/listinfo/lab
> 2. then email Lab at artengine.ca to send your message to the list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Lab