[Lab] Plain text password
Chris de Groot
cdegroot at adobe.com
Thu Nov 5 14:16:07 EST 2015
My recommendation is we must figure out a way to secure the passwords. It's cool and stuff to run the service, but it is too much of a danger as it stands today, we must assume it will get stolen and that not everyone will read the notes on how to select a password for the mail list. I think it would be valid to consider a hosted community service that takes away all these responsibilities from the folk who provide enough time to keep it running, but maybe not enough time to keep it safe. Google groups maybe an option.
From: Lab <lab-bounces at artengine.ca<mailto:lab-bounces at artengine.ca>> on behalf of Jean-Marc LeBlanc <jeanmarc.leblanc at gmail.com<mailto:jeanmarc.leblanc at gmail.com>>
Date: Thursday, November 5, 2015 at 2:53 PM
To: "peters-modlab at techwiz.ca<mailto:peters-modlab at techwiz.ca>" <peters-modlab at techwiz.ca<mailto:peters-modlab at techwiz.ca>>
Cc: lab <lab at artengine.ca<mailto:lab at artengine.ca>>
Subject: Re: [Lab] Plain text password
If there no history, I don't mind just chaining the password. but it might be worth mentioning. Maybe indicate when you sign up not to reuse a password and have it entirely unique to this site.
Jean-Marc Le Blanc
On Wed, Nov 4, 2015 at 10:28 AM, Peter Sjoberg <lpaseen at gmail.com<mailto:lpaseen at gmail.com>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
> I just noticed that the database for the modlab mailing list keeps
> passwords in plain text rather than a salted hash.
When you signed up you should have seen something like
"You may enter a privacy password below. This provides only mild
security, but should prevent others from messing with your subscription.
Do not use a valuable password as it will occasionally be emailed back
to you in cleartext."
(at least if you used http://artengine.ca/mailman/listinfo/lab)
note the "may", if no password is entered a random one is created and
that's normally what I do.
It's an old discussion about it at
- From one of those posts:
"The best I can tell, your expectations for Mailman's security and the
software authors' expectations are completely different. As has already
been explained, it is a low level of security designed to prevent (maybe
I should just say discourage) mischief. It is not intended to be as
secure as what secures your bank accounts. If your Mailman password is
compromised, what is the most damage that can be done? Very little."
> Does it keep a history of passwords?
since you can put same psw as new psw I can't see it having history
> Could I have all my passwords
> scrubed from the data base?
quick check on my own mailman list I see the psw in
/var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
to go is to change your password to some random string.
> Lab mailing list
> 1. subscribe http://artengine.ca/mailman/listinfo/lab
> 2. then email Lab at artengine.ca<mailto:Lab at artengine.ca> to send your message to the list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Lab mailing list
1. subscribe http://artengine.ca/mailman/listinfo/lab
2. then email Lab at artengine.ca<mailto:Lab at artengine.ca> to send your message to the list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Lab