The problem isn't plain text emailed passwords.
The *real* problem is storing plain text passwords on the server that runs mailman.
If that server gets compromised, the attacker has a list of email addresses and passwords.
I guess you all heard about the recent problems with Sony's Playstation Network (PSN). One of the biggest problems there was that Sony stored plain text passwords. If you Google for "plain text passwords", you will see thousands of articles that advise against it, and none that recommend it. Storing plain text passwords in a database is a security antipattern.

Passwords should always be one-way encrypted (hashed), and preferably
well salted.

This is a website that shames Plain Text Offenders: http://plaintextoffenders.com/
Mailman should be added to that website, and Ubuntu should add a very clear security warning to Mailman. Other (more secure) mailing list software should be advised, or a more secure (patched) version (MM 2.1, 3.0, whatever) should be used.

Canonical/Ubuntu itself currently uses Mailman for it's community
mailing lists (ubuntu-users etc...). This should be seriously evaluated.

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

privacy hole in password reminder

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 2 | next ›
Discussion Overview
groupmailman-coders @
postedMay 23, '11 at 1:29p
activeMay 23, '11 at 1:37p

1 user in discussion

Amedee Van Gasse: 2 posts



site design / logo © 2022 Grokbase