[Lab] Plain text password
Jean-Marc LeBlanc
jeanmarc.leblanc at gmail.com
Fri Nov 6 13:58:25 EST 2015
google has a nice one.
Jean-Marc Le Blanc
---
On Thu, Nov 5, 2015 at 4:52 PM, Jaime Yu <jaime at jaimeyu.com> wrote:
> Yeah, showing a notice for now is good so new subscribers know the
> dangers. But I still would rather see an active attempt at keeping
> passwords safe. Even though someone cracking the database won't be able to
> do much with my one off password, I still prefer to err on the side of
> doing right and actively avoiding the situation.
>
> A cloud service sounds interesting since it would almost always be up to
> date (I depend on my WordPress site to auto update itself and the php
> runtime since I know I'm too lazy to manually do it).
>
> On Thu, Nov 5, 2015, 14:16 Chris de Groot <cdegroot at adobe.com> wrote:
>
>> My recommendation is we must figure out a way to secure the passwords.
>> It’s cool and stuff to run the service, but it is too much of a danger as
>> it stands today, we must assume it will get stolen and that not everyone
>> will read the notes on how to select a password for the mail list. I think
>> it would be valid to consider a hosted community service that takes away
>> all these responsibilities from the folk who provide enough time to keep it
>> running, but maybe not enough time to keep it safe. Google groups maybe an
>> option.
>>
>> C.
>>
>> From: Lab <lab-bounces at artengine.ca> on behalf of Jean-Marc LeBlanc <
>> jeanmarc.leblanc at gmail.com>
>> Date: Thursday, November 5, 2015 at 2:53 PM
>> To: "peters-modlab at techwiz.ca" <peters-modlab at techwiz.ca>
>> Cc: lab <lab at artengine.ca>
>> Subject: Re: [Lab] Plain text password
>>
>> If there no history, I don't mind just chaining the password. but it
>> might be worth mentioning. Maybe indicate when you sign up not to reuse a
>> password and have it entirely unique to this site.
>>
>>
>> Jean-Marc Le Blanc
>> ---
>>
>> On Wed, Nov 4, 2015 at 10:28 AM, Peter Sjoberg <lpaseen at gmail.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> On 11/01/2015 10:31 AM, Jean-Marc LeBlanc wrote:
>>> > I just noticed that the database for the modlab mailing list keeps
>>> > passwords in plain text rather than a salted hash.
>>> When you signed up you should have seen something like
>>> "You may enter a privacy password below. This provides only mild
>>> security, but should prevent others from messing with your subscription.
>>> Do not use a valuable password as it will occasionally be emailed back
>>> to you in cleartext."
>>> (at least if you used http://artengine.ca/mailman/listinfo/lab)
>>>
>>> note the "may", if no password is entered a random one is created and
>>> that's normally what I do.
>>>
>>> It's an old discussion about it at
>>> https://www.mail-archive.com/mailman-users@python.org/msg60018.html
>>> - From one of those posts:
>>> "The best I can tell, your expectations for Mailman's security and the
>>> software authors' expectations are completely different. As has already
>>> been explained, it is a low level of security designed to prevent (maybe
>>> I should just say discourage) mischief. It is not intended to be as
>>> secure as what secures your bank accounts. If your Mailman password is
>>> compromised, what is the most damage that can be done? Very little."
>>>
>>> >
>>> > Does it keep a history of passwords?
>>> since you can put same psw as new psw I can't see it having history
>>> anywhere.
>>>
>>> > Could I have all my passwords
>>> > scrubed from the data base?
>>> quick check on my own mailman list I see the psw in
>>> /var/lib/mailman/lists/[listnam]/config.pck and it seems like best way
>>> to go is to change your password to some random string.
>>>
>>> /ps
>>>
>>>
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Lab mailing list
>>> > 1. subscribe http://artengine.ca/mailman/listinfo/lab
>>> > 2. then email Lab at artengine.ca to send your message to the list
>>> >
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQIVAwUBVjokGyRVDohC3d3dAQoMwRAAhsJu+WXTAlINzrOxajDdh5jV+SFvv1gi
>>> SDcxeiGQEumRj2qcsg5beu8YyoaPxIjwk7kbxMypEbxw82fYlo/IFe5D7au4mI/a
>>> uOUpCzqCYT2KnSdepzDkb2wZDuTLFvSfCgLJ0vyvW6j8xHx9lMXSoHp/Et6AQ3uH
>>> /KdnNDbBsKNv30YtFArMwVYnZ6JdJ6z4mXoP1X7aEN4q2ELgPVKKZmQ9UJZNkY32
>>> MkKksA0bSp+sVgGWW6gNqMa+I6lzr+eIClRQTeRm7T7oQ80uJyQM52Btwzhf68RQ
>>> A7LQijOi0pJUjEhy/3QAD3N9SwX0afBLuTDQaGJuBvzuuvsBPM3+u8gp4L6CrueJ
>>> Jx45dK44u2z/IsmMqifmR5eBFyNjIxlz/B9XRVXIMo1BlUrIYV2UoJ56qLIRUZQ9
>>> 7fOOfZkdOZ2GLOkwVsDErKuUDXgBwFBxOrcLc6LbgahlGb8ht/nrilHzS50Pvyay
>>> n0gXz9t0oCnJLcDIzydIRvj1gEqRzYv9NPRKy4rxGKDZgwWjtAR4apDmMn/66NS6
>>> eE/7Bdd9QeCmTaZqybFHp76vs4AyCJBaGoGS4AeF3qPmr/+brCxOsXLl7C6P0mwG
>>> jxtZX8gZhsjnQsN5SqPW5WzWkN23oQd7RJk3vafam2PWr4EPkzpH+DjtdyRXIbwO
>>> NC4od03mVIg=
>>> =JyGq
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Lab mailing list
>>> 1. subscribe http://artengine.ca/mailman/listinfo/lab
>>> 2. then email Lab at artengine.ca to send your message to the list
>>>
>>
>> _______________________________________________
>> Lab mailing list
>> 1. subscribe http://artengine.ca/mailman/listinfo/lab
>> 2. then email Lab at artengine.ca to send your message to the list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://artengine.ca/pipermail/lab/attachments/20151106/ba6bf65b/attachment.html>
More information about the Lab
mailing list