[Lab] Plain text password

Jaime Yu jaime at jaimeyu.com
Thu Nov 5 16:52:11 EST 2015


Yeah, showing a notice for now is good so new subscribers know the dangers.
But I still would rather see an active attempt at keeping passwords safe.
Even though someone cracking the database won't be able to do much with my
one off password, I still prefer to err on the side of doing right and
actively avoiding the situation.

A cloud service sounds interesting since it would almost always be up to
date (I depend on my WordPress site to auto update itself and the php
runtime since I know I'm too lazy to manually do it).

On Thu, Nov 5, 2015, 14:16 Chris de Groot <cdegroot at adobe.com> wrote:

> My recommendation is we must figure out a way to secure the passwords.
> It’s cool and stuff to run the service, but it is too much of a danger as
> it stands today, we must assume it will get stolen and that not everyone
> will read the notes on how to select a password for the mail list. I think
> it would be valid to consider a hosted community service that takes away
> all these responsibilities from the folk who provide enough time to keep it
> running, but maybe not enough time to keep it safe. Google groups maybe an
> option.
>
> C.
>
> From: Lab <lab-bounces at artengine.ca> on behalf of Jean-Marc LeBlanc <
> jeanmarc.leblanc at gmail.com>
> Date: Thursday, November 5, 2015 at 2:53 PM
> To: "peters-modlab at techwiz.ca" <peters-modlab at techwiz.ca>
> Cc: lab <lab at artengine.ca>
> Subject: Re: [Lab] Plain text password
>
> If there no history, I don't mind just chaining the password. but it might
> be worth mentioning.  Maybe indicate when you sign up not to reuse a
> password and have it entirely unique to this site.
>
>
> Jean-Marc Le Blanc
> ---
>
> On Wed, Nov 4, 2015 at 10:28 AM, Peter Sjoberg <lpaseen at gmail.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
>> > I just noticed that the database for the modlab mailing list keeps
>> > passwords in plain text rather than a salted hash.
>> When you signed up you should have seen something like
>> "You may enter a privacy password below. This provides only mild
>> security, but should prevent others from messing with your subscription.
>> Do not use a valuable password as it will occasionally be emailed back
>> to you in cleartext."
>> (at least if you used http://artengine.ca/mailman/listinfo/lab)
>>
>> note the "may", if no password is entered a random one is created and
>> that's normally what I do.
>>
>> It's an old discussion about it at
>>   https://www.mail-archive.com/mailman-users@python.org/msg60018.html
>> - From one of those posts:
>> "The best I can tell, your expectations for Mailman's security and the
>> software authors' expectations are completely different. As has already
>> been explained, it is a low level of security designed to prevent (maybe
>> I should just say discourage) mischief. It is not intended to be as
>> secure as what secures your bank accounts. If your Mailman password is
>> compromised, what is the most damage that can be done? Very little."
>>
>> >
>> > Does it keep a history of passwords?
>> since you can put same psw as new psw I can't see it having history
>> anywhere.
>>
>> > Could I have all my passwords
>> > scrubed from the data base?
>> quick check on my own mailman list I see the psw in
>> /var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
>> to go is to change your password to some random string.
>>
>> /ps
>>
>>
>> >
>> >
>> >
>> > _______________________________________________
>> > Lab mailing list
>> > 1. subscribe http://artengine.ca/mailman/listinfo/lab
>> > 2. then email Lab at artengine.ca to send your message to the list
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIVAwUBVjokGyRVDohC3d3dAQoMwRAAhsJu+WXTAlINzrOxajDdh5jV+SFvv1gi
>> SDcxeiGQEumRj2qcsg5beu8YyoaPxIjwk7kbxMypEbxw82fYlo/IFe5D7au4mI/a
>> uOUpCzqCYT2KnSdepzDkb2wZDuTLFvSfCgLJ0vyvW6j8xHx9lMXSoHp/Et6AQ3uH
>> /KdnNDbBsKNv30YtFArMwVYnZ6JdJ6z4mXoP1X7aEN4q2ELgPVKKZmQ9UJZNkY32
>> MkKksA0bSp+sVgGWW6gNqMa+I6lzr+eIClRQTeRm7T7oQ80uJyQM52Btwzhf68RQ
>> A7LQijOi0pJUjEhy/3QAD3N9SwX0afBLuTDQaGJuBvzuuvsBPM3+u8gp4L6CrueJ
>> Jx45dK44u2z/IsmMqifmR5eBFyNjIxlz/B9XRVXIMo1BlUrIYV2UoJ56qLIRUZQ9
>> 7fOOfZkdOZ2GLOkwVsDErKuUDXgBwFBxOrcLc6LbgahlGb8ht/nrilHzS50Pvyay
>> n0gXz9t0oCnJLcDIzydIRvj1gEqRzYv9NPRKy4rxGKDZgwWjtAR4apDmMn/66NS6
>> eE/7Bdd9QeCmTaZqybFHp76vs4AyCJBaGoGS4AeF3qPmr/+brCxOsXLl7C6P0mwG
>> jxtZX8gZhsjnQsN5SqPW5WzWkN23oQd7RJk3vafam2PWr4EPkzpH+DjtdyRXIbwO
>> NC4od03mVIg=
>> =JyGq
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Lab mailing list
>> 1. subscribe http://artengine.ca/mailman/listinfo/lab
>> 2. then email Lab at artengine.ca to send your message to the list
>>
>
> _______________________________________________
> Lab mailing list
> 1. subscribe http://artengine.ca/mailman/listinfo/lab
> 2. then email Lab at artengine.ca to send your message to the list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://artengine.ca/pipermail/lab/attachments/20151105/5b54577a/attachment.html>


More information about the Lab mailing list