FAQ
The problem isn't plain text emailed passwords.
The *real* problem is storing plain text passwords on the server that runs mailman.
If that server gets compromised, the attacker has a list of email addresses and passwords.
I guess you all heard about the recent problems with Sony's Playstation Network (PSN). One of the biggest problems there was that Sony stored plain text passwords. If you Google for "plain text passwords", you will see thousands of articles that advise against it, and none that recommend it. Storing plain text passwords in a database is a security antipattern.

Passwords should always be one-way encrypted (hashed), and preferably
well salted.

This is a website that shames Plain Text Offenders: http://plaintextoffenders.com/
Mailman should be added to that website, and Ubuntu should add a very clear security warning to Mailman. Other (more secure) mailing list software should be advised, or a more secure (patched) version (MM 2.1, 3.0, whatever) should be used.

Canonical/Ubuntu itself currently uses Mailman for it's community
mailing lists (ubuntu-users etc...). This should be seriously evaluated.

--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/266821

Title:
privacy hole in password reminder

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 2 | next ›
Discussion Overview
groupmailman-coders @
categoriespython
postedMay 23, '11 at 1:29p
activeMay 23, '11 at 1:37p
posts2
users1
websitelist.org

1 user in discussion

Amedee Van Gasse: 2 posts

People

Translate

site design / logo © 2022 Grokbase