[support] Password in clear text

Sun Dec 2 17:28:19 UTC 2012

Pat,

I did not justify it by saying its a community effort. I said that if
someone wants it fixed they need to stand up and do it.

I hope that will be you.

Thanks,
Steve
On Dec 2, 2012 10:25 AM, "Pat Ferrel" <pat.ferrel at gmail.com> wrote:

> Wow, this is complete foolishness.
>
> How does my failure to read a notice have anything to do with an obviously
> bad practice? Red herring!
>
> Also what does the fact that this is a community effort have anything to
> do with an obviously bad practice? Another red herring. Community can also
> work to point out failures like this and work to fix them.
>
> The password protects low security information but I am not even sure
> where else I use that password. And this itself is another red herring.
>
> Passwords in clear text are universally and absolutely BAD. You can
> justify the fact that no one has time to fix it. That I understand but the
> rest of these arguments are purely specious.
>
>
> On Dec 1, 2012, at 2:19 PM, Anthony <tony at tony-mac.com> wrote:
>
> Very well written Richard.
>
> On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon <Richard at damon-family.org>wrote:
>
>>  On 12/1/12 11:57 AM, Pat Ferrel wrote:
>>
>> I just got a reminder from the mailman-owner at drupal.org about my account
>> settings for this mail group.
>>
>>  The email contained my password in clear text!!! This is completely
>> unacceptable.
>>
>>    1. you should never save my password in clear text
>>    2. you should never never send it anywhere!
>>
>>
>>  This is something I'd expect from bad practices of the last century.
>>
>>
>>  As has been mentioned, the fact that this will happen is clearly stated
>> on the subscription form. This password policy has been discussed on the
>> Mailman development lists, and the basic argument is that the list password
>> is protecting low security information, as all that someone getting this
>> password can do is to mess up your subscription settings or unsubscribe you
>> from the list. Mailman is also set up to be totally usable by a user via
>> email and not require any web access, the process needs to allow for the
>> transmission of passwords in plain text as their is no other option with
>> email.
>>
>> If YOU made the mistake of using a "valuable" password for the list, and
>> do not trust the security of your email system, it is your own fault, and
>> you should change you password and do your best to clear that email from
>> your client. You can also change your setting to suppress the monthly
>> password reminder, but anyone can get the system to email it to you if they
>> want.
>>
>>  As to the other comment about "sensible managers" turning off this
>> option, I would have to disagree, most of the Mailman lists that I belong
>> to do send the monthly reminder, and I would never turn it off for the
>> lists I run because I get enough people who subscribe to lists like this
>> with a free email account so that when the email address gets too well
>> known and starts to get too much spam, the account can be closed down and a
>> new on made (and the list subscription changed), and then the free email
>> account is set to forward to their main account.  I the person doesn't POST
>> that often, they may forget what email address the list is actually sending
>> email too, and if you forget what it is, you need to know how to read email
>> headers well to figure it out, assuming the relaying host adds the "for"
>> information in the received headers.
>>
>> --
>> Richard Damon
>>
>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>>
>
>
>
> --
>
> *Anthony Stefan Maciejowski*
>
>
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20121202/4cbf5dcd/attachment.html 