[support] Password in clear text

Jamie Holly hovercrafter at earthlink.net
Mon Dec 3 17:44:03 UTC 2012 

So you have time to attack people for disagreeing with you, but not a 
minute to simply file on issue on D.O.? Why not help fix the problem by 
filing a issue, instead of contributing to it by simply ignoring it?

Jamie Holly
http://www.intoxination.net
http://www.hollyit.net

On 12/3/2012 12:10 PM, Pat Ferrel wrote:
> Sorry Steve, I didn't mean to wrong you. You are on the right side of 
> this. I'd fix or file a bug but unfortunately have bigger fish to fry 
> at present. I hope someone else does.
>
> For anyone reading this exchange I recommend you pay close attention 
> to the names on the exchange emails and filter any future advice 
> accordingly. Also pretty much assume your passwords here have been 
> compromised and should be used nowhere else.
>
> Out.
>
> On Dec 2, 2012, at 9:28 AM, Steve Kessler <skessler at denverdataman.com 
> <mailto:skessler at denverdataman.com>> wrote:
>
> Pat,
>
> I did not justify it by saying its a community effort. I said that if 
> someone wants it fixed they need to stand up and do it.
>
> I hope that will be you.
>
> Thanks,
> Steve
>
> On Dec 2, 2012 10:25 AM, "Pat Ferrel" <pat.ferrel at gmail.com 
> <mailto:pat.ferrel at gmail.com>> wrote:
>
>     Wow, this is complete foolishness.
>
>     How does my failure to read a notice have anything to do with an
>     obviously bad practice? Red herring!
>
>     Also what does the fact that this is a community effort have
>     anything to do with an obviously bad practice? Another red
>     herring. Community can also work to point out failures like this
>     and work to fix them.
>
>     The password protects low security information but I am not even
>     sure where else I use that password. And this itself is another
>     red herring.
>
>     Passwords in clear text are universally and absolutely BAD. You
>     can justify the fact that no one has time to fix it. That I
>     understand but the rest of these arguments are purely specious.
>
>
>     On Dec 1, 2012, at 2:19 PM, Anthony <tony at tony-mac.com
>     <mailto:tony at tony-mac.com>> wrote:
>
>     Very well written Richard.
>
>     On Sat, Dec 1, 2012 at 1:59 PM, Richard Damon
>     <Richard at damon-family.org <mailto:Richard at damon-family.org>> wrote:
>
>         On 12/1/12 11:57 AM, Pat Ferrel wrote:
>>         I just got a reminder from the mailman-owner at drupal.org
>>         <mailto:mailman-owner at drupal.org> about my account settings
>>         for this mail group.
>>
>>         The email contained my password in clear text!!! This is
>>         completely unacceptable.
>>
>>          1. you should never save my password in clear text
>>          2. you should never never send it anywhere!
>>
>>
>>         This is something I'd expect from bad practices of the last
>>         century.
>>
>>
>         As has been mentioned, the fact that this will happen is
>         clearly stated on the subscription form. This password policy
>         has been discussed on the Mailman development lists, and the
>         basic argument is that the list password is protecting low
>         security information, as all that someone getting this
>         password can do is to mess up your subscription settings or
>         unsubscribe you from the list. Mailman is also set up to be
>         totally usable by a user via email and not require any web
>         access, the process needs to allow for the transmission of
>         passwords in plain text as their is no other option with email.
>
>         If YOU made the mistake of using a "valuable" password for the
>         list, and do not trust the security of your email system, it
>         is your own fault, and you should change you password and do
>         your best to clear that email from your client. You can also
>         change your setting to suppress the monthly password reminder,
>         but anyone can get the system to email it to you if they want.
>
>          As to the other comment about "sensible managers" turning off
>         this option, I would have to disagree, most of the Mailman
>         lists that I belong to do send the monthly reminder, and I
>         would never turn it off for the lists I run because I get
>         enough people who subscribe to lists like this with a free
>         email account so that when the email address gets too well
>         known and starts to get too much spam, the account can be
>         closed down and a new on made (and the list subscription
>         changed), and then the free email account is set to forward to
>         their main account.  I the person doesn't POST that often,
>         they may forget what email address the list is actually
>         sending email too, and if you forget what it is, you need to
>         know how to read email headers well to figure it out, assuming
>         the relaying host adds the "for" information in the received
>         headers.
>
>         -- 
>         Richard Damon
>
>
>         --
>         [ Drupal support list | http://lists.drupal.org/ ]
>
>
>
>
>     -- 
>
>     */Anthony Stefan Maciejowski/*
>
>
>
>
>
>     -- 
>     [ Drupal support list | http://lists.drupal.org/ ]
>
>
>     --
>     [ Drupal support list | http://lists.drupal.org/ ]
>
> -- 
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20121203/7970f622/attachment-0001.html

More information about the support mailing list