[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)



As long as the password isn't used elsewhere, it's not a huge deal -
security savvy users probably just use a throwaway password. The main
threat here is if you are reusing passwords.

Preset passwords might be a good idea, but I think in the grand scheme
of things, it's a minor issue.

Is this behavior that is easily changed in Mailman?
--
Greg Norcie (greg@xxxxxxxxxx)
GPG key: 0x1B873635

On 11/9/12 8:25 PM, andrew@xxxxxxxxxxxxx wrote:
> On Fri, Nov 09, 2012 at 06:09:36PM -0500, mfisch@xxxxxxxxxx wrote 0.7K bytes in 16 lines about:
> : Upon signing up for the mailing list on the list server, my password was emailed to me in plaintext. In the year 2012 this is extremely bad security practice. At the very least the sign-up page should warn users to make the password unique.
> 
> Right. This is the default mailman process. Getting mailman to improve
> their defaults hasn't worked so far.
> 
> : The password may also be stored in reverseable format.
> : 
> : I used a unique random password for this mailing list, I'm going to guess however a significant portion of the mailing list either uses this password in other locations, a significant subset of them probably can't trust their mailbox to be secure.
> 
> A significant number of people join via email, not the web interface,
> and therefore mailman picks a password for them.
> 
> What's more secure mailing list software that is in debian repos and works
> for non-technical users?
> 
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk