[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)



On Fri, Nov 09, 2012 at 06:09:36PM -0500, Matthew Fisch wrote:
> I used a unique random password for this mailing list, I'm going to
>guess however a significant portion of the mailing list either uses this
>password in other locations, a significant subset of them probably can't
>trust their mailbox to be secure.

I won't use the phrase "industry standard mailing list software" because
I hate it when other people use that phrase. But really, this is how
every free-software mailing list system works these days.

I'd be surprised if more than a trivial number of users on the Tor
lists picked a password at all. Typically people just let it choose
a random password for them, and it's nice to have that reminder sent
monthly because nobody ever knows their list password (for good reason --
there's barely a need to have a password for a mailing list subscription
in the first place).

Maybe we should find a way to wrestle it into not letting you pick a
password for yourself?

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk