[Lab] Plain text password
jeanmarc.leblanc at gmail.com
Fri Nov 6 13:58:25 EST 2015
google has a nice one.
Jean-Marc Le Blanc
On Thu, Nov 5, 2015 at 4:52 PM, Jaime Yu <jaime at jaimeyu.com> wrote:
> Yeah, showing a notice for now is good so new subscribers know the
> dangers. But I still would rather see an active attempt at keeping
> passwords safe. Even though someone cracking the database won't be able to
> do much with my one off password, I still prefer to err on the side of
> doing right and actively avoiding the situation.
> A cloud service sounds interesting since it would almost always be up to
> date (I depend on my WordPress site to auto update itself and the php
> runtime since I know I'm too lazy to manually do it).
> On Thu, Nov 5, 2015, 14:16 Chris de Groot <cdegroot at adobe.com> wrote:
>> My recommendation is we must figure out a way to secure the passwords.
>> It’s cool and stuff to run the service, but it is too much of a danger as
>> it stands today, we must assume it will get stolen and that not everyone
>> will read the notes on how to select a password for the mail list. I think
>> it would be valid to consider a hosted community service that takes away
>> all these responsibilities from the folk who provide enough time to keep it
>> running, but maybe not enough time to keep it safe. Google groups maybe an
>> From: Lab <lab-bounces at artengine.ca> on behalf of Jean-Marc LeBlanc <
>> jeanmarc.leblanc at gmail.com>
>> Date: Thursday, November 5, 2015 at 2:53 PM
>> To: "peters-modlab at techwiz.ca" <peters-modlab at techwiz.ca>
>> Cc: lab <lab at artengine.ca>
>> Subject: Re: [Lab] Plain text password
>> If there no history, I don't mind just chaining the password. but it
>> might be worth mentioning. Maybe indicate when you sign up not to reuse a
>> password and have it entirely unique to this site.
>> Jean-Marc Le Blanc
>> On Wed, Nov 4, 2015 at 10:28 AM, Peter Sjoberg <lpaseen at gmail.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>> On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
>>> > I just noticed that the database for the modlab mailing list keeps
>>> > passwords in plain text rather than a salted hash.
>>> When you signed up you should have seen something like
>>> "You may enter a privacy password below. This provides only mild
>>> security, but should prevent others from messing with your subscription.
>>> Do not use a valuable password as it will occasionally be emailed back
>>> to you in cleartext."
>>> (at least if you used http://artengine.ca/mailman/listinfo/lab)
>>> note the "may", if no password is entered a random one is created and
>>> that's normally what I do.
>>> It's an old discussion about it at
>>> - From one of those posts:
>>> "The best I can tell, your expectations for Mailman's security and the
>>> software authors' expectations are completely different. As has already
>>> been explained, it is a low level of security designed to prevent (maybe
>>> I should just say discourage) mischief. It is not intended to be as
>>> secure as what secures your bank accounts. If your Mailman password is
>>> compromised, what is the most damage that can be done? Very little."
>>> > Does it keep a history of passwords?
>>> since you can put same psw as new psw I can't see it having history
>>> > Could I have all my passwords
>>> > scrubed from the data base?
>>> quick check on my own mailman list I see the psw in
>>> /var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
>>> to go is to change your password to some random string.
>>> > _______________________________________________
>>> > Lab mailing list
>>> > 1. subscribe http://artengine.ca/mailman/listinfo/lab
>>> > 2. then email Lab at artengine.ca to send your message to the list
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> -----END PGP SIGNATURE-----
>>> Lab mailing list
>>> 1. subscribe http://artengine.ca/mailman/listinfo/lab
>>> 2. then email Lab at artengine.ca to send your message to the list
>> Lab mailing list
>> 1. subscribe http://artengine.ca/mailman/listinfo/lab
>> 2. then email Lab at artengine.ca to send your message to the list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Lab