[support] Password in clear text

Richard Damon Richard at Damon-Family.org
Sat Dec 1 21:59:34 UTC 2012


On 12/1/12 11:57 AM, Pat Ferrel wrote:
> I just got a reminder from the mailman-owner at drupal.org
> <mailto:mailman-owner at drupal.org> about my account settings for this
> mail group.
>
> The email contained my password in clear text!!! This is completely
> unacceptable.
>
>  1. you should never save my password in clear text
>  2. you should never never send it anywhere! 
>
>
> This is something I'd expect from bad practices of the last century.
>
>
As has been mentioned, the fact that this will happen is clearly stated
on the subscription form. This password policy has been discussed on the
Mailman development lists, and the basic argument is that the list
password is protecting low security information, as all that someone
getting this password can do is to mess up your subscription settings or
unsubscribe you from the list. Mailman is also set up to be totally
usable by a user via email and not require any web access, the process
needs to allow for the transmission of passwords in plain text as their
is no other option with email.

If YOU made the mistake of using a "valuable" password for the list, and
do not trust the security of your email system, it is your own fault,
and you should change you password and do your best to clear that email
from your client. You can also change your setting to suppress the
monthly password reminder, but anyone can get the system to email it to
you if they want.

 As to the other comment about "sensible managers" turning off this
option, I would have to disagree, most of the Mailman lists that I
belong to do send the monthly reminder, and I would never turn it off
for the lists I run because I get enough people who subscribe to lists
like this with a free email account so that when the email address gets
too well known and starts to get too much spam, the account can be
closed down and a new on made (and the list subscription changed), and
then the free email account is set to forward to their main account.  I
the person doesn't POST that often, they may forget what email address
the list is actually sending email too, and if you forget what it is,
you need to know how to read email headers well to figure it out,
assuming the relaying host adds the "for" information in the received
headers.

-- 
Richard Damon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20121201/97959342/attachment.html 


More information about the support mailing list