[support] Password in clear text
Jamie Holly
hovercrafter at earthlink.net
Sun Dec 2 19:32:49 UTC 2012
This list is not the place for this discussion. If you feel that this is
an issue, then please open an issue up in the webmasters issue tracker:
http://drupal.org/node/add/project-issue/webmasters
Jamie Holly
http://www.intoxination.net
http://www.hollyit.net
On 12/2/2012 12:24 PM, Pat Ferrel wrote:
> Wow, this is complete foolishness.
>
> How does my failure to read a notice have anything to do with an
> obviously bad practice? Red herring!
>
> Also what does the fact that this is a community effort have anything
> to do with an obviously bad practice? Another red herring. Community
> can also work to point out failures like this and work to fix them.
>
> The password protects low security information but I am not even sure
> where else I use that password. And this itself is another red herring.
>
> Passwords in clear text are universally and absolutely BAD. You can
> justify the fact that no one has time to fix it. That I understand but
> the rest of these arguments are purely specious.
>
>
> On Dec 1, 2012, at 2:19 PM, Anthony <tony at tony-mac.com
> <mailto:tony at tony-mac.com>> wrote:
>
> Very well written Richard.
>
> On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon
> <Richard at damon-family.org <mailto:Richard at damon-family.org>> wrote:
>
> On 12/1/12 11:57 AM, Pat Ferrel wrote:
>> I just got a reminder from the mailman-owner at drupal.org
>> <mailto:mailman-owner at drupal.org> about my account settings for
>> this mail group.
>>
>> The email contained my password in clear text!!! This is
>> completely unacceptable.
>>
>> 1. you should never save my password in clear text
>> 2. you should never never send it anywhere!
>>
>>
>> This is something I'd expect from bad practices of the last century.
>>
>>
> As has been mentioned, the fact that this will happen is clearly
> stated on the subscription form. This password policy has been
> discussed on the Mailman development lists, and the basic argument
> is that the list password is protecting low security information,
> as all that someone getting this password can do is to mess up
> your subscription settings or unsubscribe you from the list.
> Mailman is also set up to be totally usable by a user via email
> and not require any web access, the process needs to allow for the
> transmission of passwords in plain text as their is no other
> option with email.
>
> If YOU made the mistake of using a "valuable" password for the
> list, and do not trust the security of your email system, it is
> your own fault, and you should change you password and do your
> best to clear that email from your client. You can also change
> your setting to suppress the monthly password reminder, but anyone
> can get the system to email it to you if they want.
>
> As to the other comment about "sensible managers" turning off
> this option, I would have to disagree, most of the Mailman lists
> that I belong to do send the monthly reminder, and I would never
> turn it off for the lists I run because I get enough people who
> subscribe to lists like this with a free email account so that
> when the email address gets too well known and starts to get too
> much spam, the account can be closed down and a new on made (and
> the list subscription changed), and then the free email account is
> set to forward to their main account. I the person doesn't POST
> that often, they may forget what email address the list is
> actually sending email too, and if you forget what it is, you need
> to know how to read email headers well to figure it out, assuming
> the relaying host adds the "for" information in the received headers.
>
> --
> Richard Damon
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
>
>
> --
>
> */Anthony Stefan Maciejowski/*
>
>
>
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20121202/e42a1a6f/attachment-0001.html
More information about the support
mailing list