[support] Password in clear text

Anthony tony at tony-mac.com
Sat Dec 1 22:19:52 UTC 2012 

Very well written Richard.

On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon <Richard at damon-family.org>wrote:

>  On 12/1/12 11:57 AM, Pat Ferrel wrote:
>
> I just got a reminder from the mailman-owner at drupal.org about my account
> settings for this mail group.
>
>  The email contained my password in clear text!!! This is completely
> unacceptable.
>
>    1. you should never save my password in clear text
>    2. you should never never send it anywhere!
>
>
>  This is something I'd expect from bad practices of the last century.
>
>
>  As has been mentioned, the fact that this will happen is clearly stated
> on the subscription form. This password policy has been discussed on the
> Mailman development lists, and the basic argument is that the list password
> is protecting low security information, as all that someone getting this
> password can do is to mess up your subscription settings or unsubscribe you
> from the list. Mailman is also set up to be totally usable by a user via
> email and not require any web access, the process needs to allow for the
> transmission of passwords in plain text as their is no other option with
> email.
>
> If YOU made the mistake of using a "valuable" password for the list, and
> do not trust the security of your email system, it is your own fault, and
> you should change you password and do your best to clear that email from
> your client. You can also change your setting to suppress the monthly
> password reminder, but anyone can get the system to email it to you if they
> want.
>
>  As to the other comment about "sensible managers" turning off this
> option, I would have to disagree, most of the Mailman lists that I belong
> to do send the monthly reminder, and I would never turn it off for the
> lists I run because I get enough people who subscribe to lists like this
> with a free email account so that when the email address gets too well
> known and starts to get too much spam, the account can be closed down and a
> new on made (and the list subscription changed), and then the free email
> account is set to forward to their main account.  I the person doesn't POST
> that often, they may forget what email address the list is actually sending
> email too, and if you forget what it is, you need to know how to read email
> headers well to figure it out, assuming the relaying host adds the "for"
> information in the received headers.
>
> --
> Richard Damon
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>



-- 

*Anthony Stefan Maciejowski*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20121201/ce870407/attachment-0001.html

More information about the support mailing list