John, when saying moat sensible list maintainers sound rather insulating. This like all things in Drupal is community built. Consider offering constructive criticism and offering a solution that you are willing to help implement. On Dec 1, 2012 10:41 AM, "John Layt" johnlayt@googlemail.com wrote:

On 1 December 2012 16:57, Pat Ferrel pat@occamsmachete.com wrote:

...

I just got a reminder from the mailman-owner@drupal.org about my account settings for this mail group.

The email contained my password in clear text!!! This is completely unacceptable.

you should never save my password in clear text you should never never send it anywhere!

This is something I'd expect from bad practices of the last century.

This is default on the MailMan software. Most sensible list maintainers turn the monthly reminder off, especially on a list like this with enough traffic that it would be hard to forget you're subscribed.

John.

[ Drupal support list | http://lists.drupal.org/ ]

Very well written Richard.

On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon Richard@damon-family.orgwrote:

On 12/1/12 11:57 AM, Pat Ferrel wrote:

I just got a reminder from the mailman-owner@drupal.org about my account settings for this mail group.

The email contained my password in clear text!!! This is completely unacceptable.

1. you should never save my password in clear text
2. you should never never send it anywhere!

This is something I'd expect from bad practices of the last century.

As has been mentioned, the fact that this will happen is clearly stated on the subscription form. This password policy has been discussed on the Mailman development lists, and the basic argument is that the list password is protecting low security information, as all that someone getting this password can do is to mess up your subscription settings or unsubscribe you from the list. Mailman is also set up to be totally usable by a user via email and not require any web access, the process needs to allow for the transmission of passwords in plain text as their is no other option with email.

If YOU made the mistake of using a "valuable" password for the list, and do not trust the security of your email system, it is your own fault, and you should change you password and do your best to clear that email from your client. You can also change your setting to suppress the monthly password reminder, but anyone can get the system to email it to you if they want.

As to the other comment about "sensible managers" turning off this option, I would have to disagree, most of the Mailman lists that I belong to do send the monthly reminder, and I would never turn it off for the lists I run because I get enough people who subscribe to lists like this with a free email account so that when the email address gets too well known and starts to get too much spam, the account can be closed down and a new on made (and the list subscription changed), and then the free email account is set to forward to their main account. I the person doesn't POST that often, they may forget what email address the list is actually sending email too, and if you forget what it is, you need to know how to read email headers well to figure it out, assuming the relaying host adds the "for" information in the received headers.

-- Richard Damon

-- [ Drupal support list | http://lists.drupal.org/ ]

Pat,

I did not justify it by saying its a community effort. I said that if someone wants it fixed they need to stand up and do it.

I hope that will be you.

Thanks, Steve On Dec 2, 2012 10:25 AM, "Pat Ferrel" pat.ferrel@gmail.com wrote:

Wow, this is complete foolishness.

How does my failure to read a notice have anything to do with an obviously bad practice? Red herring!

Also what does the fact that this is a community effort have anything to do with an obviously bad practice? Another red herring. Community can also work to point out failures like this and work to fix them.

The password protects low security information but I am not even sure where else I use that password. And this itself is another red herring.

Passwords in clear text are universally and absolutely BAD. You can justify the fact that no one has time to fix it. That I understand but the rest of these arguments are purely specious.

On Dec 1, 2012, at 2:19 PM, Anthony tony@tony-mac.com wrote:

Very well written Richard.

On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon Richard@damon-family.orgwrote:

...

On 12/1/12 11:57 AM, Pat Ferrel wrote:

I just got a reminder from the mailman-owner@drupal.org about my account settings for this mail group.

The email contained my password in clear text!!! This is completely unacceptable.

1. you should never save my password in clear text
2. you should never never send it anywhere!

This is something I'd expect from bad practices of the last century.

As has been mentioned, the fact that this will happen is clearly stated on the subscription form. This password policy has been discussed on the Mailman development lists, and the basic argument is that the list password is protecting low security information, as all that someone getting this password can do is to mess up your subscription settings or unsubscribe you from the list. Mailman is also set up to be totally usable by a user via email and not require any web access, the process needs to allow for the transmission of passwords in plain text as their is no other option with email.

If YOU made the mistake of using a "valuable" password for the list, and do not trust the security of your email system, it is your own fault, and you should change you password and do your best to clear that email from your client. You can also change your setting to suppress the monthly password reminder, but anyone can get the system to email it to you if they want.

As to the other comment about "sensible managers" turning off this option, I would have to disagree, most of the Mailman lists that I belong to do send the monthly reminder, and I would never turn it off for the lists I run because I get enough people who subscribe to lists like this with a free email account so that when the email address gets too well known and starts to get too much spam, the account can be closed down and a new on made (and the list subscription changed), and then the free email account is set to forward to their main account. I the person doesn't POST that often, they may forget what email address the list is actually sending email too, and if you forget what it is, you need to know how to read email headers well to figure it out, assuming the relaying host adds the "for" information in the received headers.

-- Richard Damon

-- [ Drupal support list | http://lists.drupal.org/ ]

--

*Anthony Stefan Maciejowski*

-- [ Drupal support list | http://lists.drupal.org/ ]

-- [ Drupal support list | http://lists.drupal.org/ ]

So you have time to attack people for disagreeing with you, but not a minute to simply file on issue on D.O.? Why not help fix the problem by filing a issue, instead of contributing to it by simply ignoring it?

Jamie Holly http://www.intoxination.net http://www.hollyit.net

On 12/3/2012 12:10 PM, Pat Ferrel wrote:

Sorry Steve, I didn't mean to wrong you. You are on the right side of this. I'd fix or file a bug but unfortunately have bigger fish to fry at present. I hope someone else does.

For anyone reading this exchange I recommend you pay close attention to the names on the exchange emails and filter any future advice accordingly. Also pretty much assume your passwords here have been compromised and should be used nowhere else.

Out.

On Dec 2, 2012, at 9:28 AM, Steve Kessler <skessler@denverdataman.com mailto:skessler@denverdataman.com> wrote:

Pat,

I did not justify it by saying its a community effort. I said that if someone wants it fixed they need to stand up and do it.

I hope that will be you.

Thanks, Steve

On Dec 2, 2012 10:25 AM, "Pat Ferrel" <pat.ferrel@gmail.com mailto:pat.ferrel@gmail.com> wrote:

Wow, this is complete foolishness.

How does my failure to read a notice have anything to do with an
obviously bad practice? Red herring!

Also what does the fact that this is a community effort have
anything to do with an obviously bad practice? Another red
herring. Community can also work to point out failures like this
and work to fix them.

The password protects low security information but I am not even
sure where else I use that password. And this itself is another
red herring.

Passwords in clear text are universally and absolutely BAD. You
can justify the fact that no one has time to fix it. That I
understand but the rest of these arguments are purely specious.


On Dec 1, 2012, at 2:19 PM, Anthony <tony@tony-mac.com
<mailto:tony@tony-mac.com>> wrote:

Very well written Richard.

On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon
<Richard@damon-family.org <mailto:Richard@damon-family.org>> wrote:

    On 12/1/12 11:57 AM, Pat Ferrel wrote:

...

    I just got a reminder from the mailman-owner@drupal.org
    <mailto:mailman-owner@drupal.org> about my account settings
    for this mail group.

    The email contained my password in clear text!!! This is
    completely unacceptable.

     1. you should never save my password in clear text
     2. you should never never send it anywhere!


    This is something I'd expect from bad practices of the last
    century.

    As has been mentioned, the fact that this will happen is
    clearly stated on the subscription form. This password policy
    has been discussed on the Mailman development lists, and the
    basic argument is that the list password is protecting low
    security information, as all that someone getting this
    password can do is to mess up your subscription settings or
    unsubscribe you from the list. Mailman is also set up to be
    totally usable by a user via email and not require any web
    access, the process needs to allow for the transmission of
    passwords in plain text as their is no other option with email.

    If YOU made the mistake of using a "valuable" password for the
    list, and do not trust the security of your email system, it
    is your own fault, and you should change you password and do
    your best to clear that email from your client. You can also
    change your setting to suppress the monthly password reminder,
    but anyone can get the system to email it to you if they want.

     As to the other comment about "sensible managers" turning off
    this option, I would have to disagree, most of the Mailman
    lists that I belong to do send the monthly reminder, and I
    would never turn it off for the lists I run because I get
    enough people who subscribe to lists like this with a free
    email account so that when the email address gets too well
    known and starts to get too much spam, the account can be
    closed down and a new on made (and the list subscription
    changed), and then the free email account is set to forward to
    their main account.  I the person doesn't POST that often,
    they may forget what email address the list is actually
    sending email too, and if you forget what it is, you need to
    know how to read email headers well to figure it out, assuming
    the relaying host adds the "for" information in the received
    headers.

    -- 
    Richard Damon


    --
    [ Drupal support list | http://lists.drupal.org/ ]




-- 

*/Anthony Stefan Maciejowski/*





-- 
[ Drupal support list | http://lists.drupal.org/ ]


--
[ Drupal support list | http://lists.drupal.org/ ]

-- [ Drupal support list | http://lists.drupal.org/ ]

On 12/2/12 12:24 PM, Pat Ferrel wrote:

Wow, this is complete foolishness.

How does my failure to read a notice have anything to do with an obviously bad practice? Red herring!

Also what does the fact that this is a community effort have anything to do with an obviously bad practice? Another red herring. Community can also work to point out failures like this and work to fix them.

The password protects low security information but I am not even sure where else I use that password. And this itself is another red herring.

Passwords in clear text are universally and absolutely BAD. You can justify the fact that no one has time to fix it. That I understand but the rest of these arguments are purely specious.

Then I presume that you only use https (and never http) to access web sites, sftp (and never ftp) to send data, and use SSL to fetch your email, and only use sites that support these with keys you know you can trust.

Using the same password on multiple sites is a bigger mistake than sending passwords in clear text, as you are then trusting the security of the sites you share passwords to the worse security of any of them. If you didn't notice the clearly stated policy of sending your password in clear text with an explicit warning not to use a valuable password, how much do you check on the password security of the other sites you use. Many sites do not store your password encrypted, or may have holes that allow someone to steal your password while accessing the site.

Mailman was designed over a decade ago (I guess that makes your previous comment about last century true), and as part of its design goals, it is to be fully utilized by a user using only email traffic. With this as a design parameter it is IMPOSSIBLE to not send a password in clear text without requiring extensions beyond basic email, as email is a non-encrypted. While the web interface has become more powerful, and thus perhaps now the primary access channel for options, it wasn't so in the beginning, (you can subscribe by sending and email, change your options with another email, etc). For all of these email transactions the password needs to be sent in the clear, so securing the web access better doesn't make that much sense. Think how you would do a "password reset" function like Drupal uses via a pure email transaction that doesn't send the password in clear text.

Note also that if your email system has been compromised enough that someone can read your email to find the password, they likely also have the ability to do a password reset on a web site and get control over your account there, so the added security is mostly imaginary, IF you are careful to keep you local machine secure (and if you don't do that, it is a bigger problem than clear text passwords).

Yes, there are some security implications of passwords in clear text, and for web based services there are methods that improve things. There ARE some fundamental issues that make totally fixing it hard, to the level that some say the only way to really improve the security of email is to totally dismantle the system and rebuild it. The fact that you are on this list lets me assume that you are not of the position that we should throw the existing email system away until we can get something better.

As to not having time, there are several projects going on to build better email list managers, but for now, I don't know of any free/open-source solutions with the reliability of Mailman that does NOT use plain text passwords (actually you would be hard pressed to find an open-source solution that seriously challenges Mailman even with plain text passwords). YOU have the choice, use the system with it's inherent warts, or don't use the system (or put in your time to make the system better).

Security ALWAYS starts at the user, and to complain that something is "universally and absolutely BAD", when that behavior is CLEARLY stated on the page you are using to sign up for the service says the real security flaw is on your end.