Re: About mailing lists password reminders



On Sun, 2013-02-03 at 14:06 +0100, Andrea Veri wrote:
> Hi,
> 
> 
> I noticed someone pointed out [1] the fact a reminder mail with the
> subscription's password is sent once a month to each individual after
> subscribing to a @gnome.org list.
> 
> 
> That's the default Mailman's behaviour, if you want to disable it, you
> can by:
> 
> 
> - disabling it directly for the whole list, login on the Admin
> interface for your list and set the "Send monthly password reminders?"
> to 'No'
> - disabling it for your subscription only by logging in into your
> subscription's profile and set the"Get password reminder email for
> this list?" to 'No'. You can even do that globally for all your
> subscriptions by clicking on the 'Set Globally" flag right under the
> above's switch.
> 
> 
> Have an awesome sunday,
> 
> 
> [1] https://mail.gnome.org/archives/orca-list/2013-February/msg00023.html
> 

<SECURITY RANT>
Another issue is storing password in plaintext (regardless if the
reminders are sent or not). Given that many people have password reuse
(bad practice but it's the reality) leakage of table gives attacker nice
email-password list. 

Mailman 3 seems to include the correct thing to have by default - hashed
passwords with salt (PBKDF2 or bcrypt would be a better choice - the
former is implemented by flufl.password and can be used by Mailman 3
IIUC). Unfortunately it is still in beta.
</SECURITY RANT>

Best regards



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]