[Lab] Plain text password
jaime at jaimeyu.com
Thu Nov 5 16:52:11 EST 2015
Yeah, showing a notice for now is good so new subscribers know the dangers.
But I still would rather see an active attempt at keeping passwords safe.
Even though someone cracking the database won't be able to do much with my
one off password, I still prefer to err on the side of doing right and
actively avoiding the situation.
A cloud service sounds interesting since it would almost always be up to
date (I depend on my WordPress site to auto update itself and the php
runtime since I know I'm too lazy to manually do it).
On Thu, Nov 5, 2015, 14:16 Chris de Groot <cdegroot at adobe.com> wrote:
> My recommendation is we must figure out a way to secure the passwords.
> It’s cool and stuff to run the service, but it is too much of a danger as
> it stands today, we must assume it will get stolen and that not everyone
> will read the notes on how to select a password for the mail list. I think
> it would be valid to consider a hosted community service that takes away
> all these responsibilities from the folk who provide enough time to keep it
> running, but maybe not enough time to keep it safe. Google groups maybe an
> From: Lab <lab-bounces at artengine.ca> on behalf of Jean-Marc LeBlanc <
> jeanmarc.leblanc at gmail.com>
> Date: Thursday, November 5, 2015 at 2:53 PM
> To: "peters-modlab at techwiz.ca" <peters-modlab at techwiz.ca>
> Cc: lab <lab at artengine.ca>
> Subject: Re: [Lab] Plain text password
> If there no history, I don't mind just chaining the password. but it might
> be worth mentioning. Maybe indicate when you sign up not to reuse a
> password and have it entirely unique to this site.
> Jean-Marc Le Blanc
> On Wed, Nov 4, 2015 at 10:28 AM, Peter Sjoberg <lpaseen at gmail.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
>> > I just noticed that the database for the modlab mailing list keeps
>> > passwords in plain text rather than a salted hash.
>> When you signed up you should have seen something like
>> "You may enter a privacy password below. This provides only mild
>> security, but should prevent others from messing with your subscription.
>> Do not use a valuable password as it will occasionally be emailed back
>> to you in cleartext."
>> (at least if you used http://artengine.ca/mailman/listinfo/lab)
>> note the "may", if no password is entered a random one is created and
>> that's normally what I do.
>> It's an old discussion about it at
>> - From one of those posts:
>> "The best I can tell, your expectations for Mailman's security and the
>> software authors' expectations are completely different. As has already
>> been explained, it is a low level of security designed to prevent (maybe
>> I should just say discourage) mischief. It is not intended to be as
>> secure as what secures your bank accounts. If your Mailman password is
>> compromised, what is the most damage that can be done? Very little."
>> > Does it keep a history of passwords?
>> since you can put same psw as new psw I can't see it having history
>> > Could I have all my passwords
>> > scrubed from the data base?
>> quick check on my own mailman list I see the psw in
>> /var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
>> to go is to change your password to some random string.
>> > _______________________________________________
>> > Lab mailing list
>> > 1. subscribe http://artengine.ca/mailman/listinfo/lab
>> > 2. then email Lab at artengine.ca to send your message to the list
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> -----END PGP SIGNATURE-----
>> Lab mailing list
>> 1. subscribe http://artengine.ca/mailman/listinfo/lab
>> 2. then email Lab at artengine.ca to send your message to the list
> Lab mailing list
> 1. subscribe http://artengine.ca/mailman/listinfo/lab
> 2. then email Lab at artengine.ca to send your message to the list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Lab