[Lab] Plain text password

Chris de Groot cdegroot at adobe.com
Thu Nov 5 14:16:07 EST 2015 

My recommendation is we must figure out a way to secure the passwords. It's cool and stuff to run the service, but it is too much of a danger as it stands today, we must assume it will get stolen and that not everyone will read the notes on how to select a password for the mail list. I think it would be valid to consider a hosted community service that takes away all these responsibilities from the folk who provide enough time to keep it running, but maybe not enough time to keep it safe. Google groups maybe an option.

C.

From: Lab <lab-bounces at artengine.ca<mailto:lab-bounces at artengine.ca>> on behalf of Jean-Marc LeBlanc <jeanmarc.leblanc at gmail.com<mailto:jeanmarc.leblanc at gmail.com>>
Date: Thursday, November 5, 2015 at 2:53 PM
To: "peters-modlab at techwiz.ca<mailto:peters-modlab at techwiz.ca>" <peters-modlab at techwiz.ca<mailto:peters-modlab at techwiz.ca>>
Cc: lab <lab at artengine.ca<mailto:lab at artengine.ca>>
Subject: Re: [Lab] Plain text password

If there no history, I don't mind just chaining the password. but it might be worth mentioning.  Maybe indicate when you sign up not to reuse a password and have it entirely unique to this site.


Jean-Marc Le Blanc
---

On Wed, Nov 4, 2015 at 10:28 AM, Peter Sjoberg <lpaseen at gmail.com<mailto:lpaseen at gmail.com>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
> I just noticed that the database for the modlab mailing list keeps
> passwords in plain text rather than a salted hash.
When you signed up you should have seen something like
"You may enter a privacy password below. This provides only mild
security, but should prevent others from messing with your subscription.
Do not use a valuable password as it will occasionally be emailed back
to you in cleartext."
(at least if you used http://artengine.ca/mailman/listinfo/lab)

note the "may", if no password is entered a random one is created and
that's normally what I do.

It's an old discussion about it at
  https://www.mail-archive.com/mailman-users@python.org/msg60018.html
- From one of those posts:
"The best I can tell, your expectations for Mailman's security and the
software authors' expectations are completely different. As has already
been explained, it is a low level of security designed to prevent (maybe
I should just say discourage) mischief. It is not intended to be as
secure as what secures your bank accounts. If your Mailman password is
compromised, what is the most damage that can be done? Very little."

>
> Does it keep a history of passwords?
since you can put same psw as new psw I can't see it having history
anywhere.

> Could I have all my passwords
> scrubed from the data base?
quick check on my own mailman list I see the psw in
/var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
to go is to change your password to some random string.

/ps


>
>
>
> _______________________________________________
> Lab mailing list
> 1. subscribe http://artengine.ca/mailman/listinfo/lab
> 2. then email Lab at artengine.ca<mailto:Lab at artengine.ca> to send your message to the list
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIVAwUBVjokGyRVDohC3d3dAQoMwRAAhsJu+WXTAlINzrOxajDdh5jV+SFvv1gi
SDcxeiGQEumRj2qcsg5beu8YyoaPxIjwk7kbxMypEbxw82fYlo/IFe5D7au4mI/a
uOUpCzqCYT2KnSdepzDkb2wZDuTLFvSfCgLJ0vyvW6j8xHx9lMXSoHp/Et6AQ3uH
/KdnNDbBsKNv30YtFArMwVYnZ6JdJ6z4mXoP1X7aEN4q2ELgPVKKZmQ9UJZNkY32
MkKksA0bSp+sVgGWW6gNqMa+I6lzr+eIClRQTeRm7T7oQ80uJyQM52Btwzhf68RQ
A7LQijOi0pJUjEhy/3QAD3N9SwX0afBLuTDQaGJuBvzuuvsBPM3+u8gp4L6CrueJ
Jx45dK44u2z/IsmMqifmR5eBFyNjIxlz/B9XRVXIMo1BlUrIYV2UoJ56qLIRUZQ9
7fOOfZkdOZ2GLOkwVsDErKuUDXgBwFBxOrcLc6LbgahlGb8ht/nrilHzS50Pvyay
n0gXz9t0oCnJLcDIzydIRvj1gEqRzYv9NPRKy4rxGKDZgwWjtAR4apDmMn/66NS6
eE/7Bdd9QeCmTaZqybFHp76vs4AyCJBaGoGS4AeF3qPmr/+brCxOsXLl7C6P0mwG
jxtZX8gZhsjnQsN5SqPW5WzWkN23oQd7RJk3vafam2PWr4EPkzpH+DjtdyRXIbwO
NC4od03mVIg=
=JyGq
-----END PGP SIGNATURE-----

_______________________________________________
Lab mailing list
1. subscribe http://artengine.ca/mailman/listinfo/lab
2. then email Lab at artengine.ca<mailto:Lab at artengine.ca> to send your message to the list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://artengine.ca/pipermail/lab/attachments/20151105/0d72193b/attachment.html>

More information about the Lab mailing list