Plaintext password in membership reminder

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Plaintext password in membership reminder

Thomas Dinges
Hi guys,

I just got another "blender.org mailing list memberships reminder" mail,
and it still contains all passwords in plaintext. If I remember
correctly this was brought up some weeks ago and should be changed?

Best regards,

Thomas

_______________________________________________
Bf-committers mailing list
[hidden email]
https://lists.blender.org/mailman/listinfo/bf-committers
Reply | Threaded
Open this post in threaded view
|

Re: Plaintext password in membership reminder

Dan McGrath
Hi Thomas,

To disable this, as it is a per user configuration choice, log into your
account and turn off password reminders. You can set this globally for all
lists, or on a per list basis.


Dan
_______________________________________________
Bf-committers mailing list
[hidden email]
https://lists.blender.org/mailman/listinfo/bf-committers
Reply | Threaded
Open this post in threaded view
|

Re: Plaintext password in membership reminder

Vicente Carro
If he does that, will the plain text password be removed from the server or
simply he will stop receiving them in the emails?

On 2 June 2018 at 15:59, Dan McGrath <[hidden email]> wrote:

> Hi Thomas,
>
> To disable this, as it is a per user configuration choice, log into your
> account and turn off password reminders. You can set this globally for all
> lists, or on a per list basis.
>
>
> Dan
> _______________________________________________
> Bf-committers mailing list
> [hidden email]
> https://lists.blender.org/mailman/listinfo/bf-committers
>
_______________________________________________
Bf-committers mailing list
[hidden email]
https://lists.blender.org/mailman/listinfo/bf-committers
Reply | Threaded
Open this post in threaded view
|

Re: Plaintext password in membership reminder

Dan McGrath
In reply to this post by Thomas Dinges
Hi,

This will simply stop you from receiving the plain text password. As I have
mentioned several times in private mails, the version of Mailman that we
use is not capable of hashing passwords (at least out of the box, iirc).
The upcoming version 3 was an overhaul which should address this problem.
That said, it is clearly stated when you subscribe to the list that you
should not use an important password as it will be mailed back to you etc.

My advice is to generate a simple unique password, and set your mail
preferences to not email them back to you, as well as to change your
password if this all comes as a surprise to you. Also, to sign your emails
with GPG/GNUPG if you require accountability and are concerned that someone
sniffed your password from your email. But we do sent and receive mail via
TLS, when possible, so the odds of the mail being intercepted and sniffed
are relatively low.

I hope this helps! I believe that mailman 3 is finally in the ports tree,
but when we will actually use it, who knows.


Cheers,

Dan
_______________________________________________
Bf-committers mailing list
[hidden email]
https://lists.blender.org/mailman/listinfo/bf-committers
Reply | Threaded
Open this post in threaded view
|

Re: Plaintext password in membership reminder

tmohr
In reply to this post by Vicente Carro
Hello,

Even if I change the setting and don't get reminders then it seems you still
store the password in cleartext.

This is looks like quite a big security problem.  Also, storing passwords in
cleartext is not really state of the art any more.

Are there plans to change this?


Best regards
Torsten

Am Sonntag, 3. Juni 2018, 17:01:03 CEST schrieb Vicente Carro:

> If he does that, will the plain text password be removed from the server or
> simply he will stop receiving them in the emails?
>
> On 2 June 2018 at 15:59, Dan McGrath <[hidden email]> wrote:
> > Hi Thomas,
> >
> > To disable this, as it is a per user configuration choice, log into your
> > account and turn off password reminders. You can set this globally for all
> > lists, or on a per list basis.
> >
> >
> > Dan
> > _______________________________________________
> > Bf-committers mailing list
> > [hidden email]
> > https://lists.blender.org/mailman/listinfo/bf-committers
>
> _______________________________________________
> Bf-committers mailing list
> [hidden email]
> https://lists.blender.org/mailman/listinfo/bf-committers


_______________________________________________
Bf-committers mailing list
[hidden email]
https://lists.blender.org/mailman/listinfo/bf-committers
Reply | Threaded
Open this post in threaded view
|

Re: Plaintext password in membership reminder

Dan McGrath
In reply to this post by Thomas Dinges
Hi Torsten,

I am aware of your concern. Unfortunately, I did not write Mailman :(
AFAIK, there are only 3rd party addon's to do such things, but I believe
that the situation comes down to it being a known issue, with the
recommendation being for you to not use important passwords for the
service, and also to disable the feature that mails you a password back, in
case someone else can read your email (we do use SSL transport during
delivery, and require HTTPS for the website).

Please refer to these urls:

https://mail.python.org/pipermail/mailman-users/2010-July/069843.html
http://www.list.org/mailman-member/node15.html
http://www.list.org/mailman-member/node18.html

At some point, Mailman 3 will do away with these, but as of yet I don't
believe it is stable. This software is about as old as the internet, and
unfortunately, it does assume a little too much for the user. To be fair
though, you are warned very clearly about this during the creation of the
account:

  http://pasteall.org/pic/show.php?id=a310d07569563858a1483c7b4a96430c

Gotta love old legacy systems. Also, gotta love volunteering to maintain
legacy systems. If you would like to sponsor a few thousand dollars to me
to upgrade to mailman 3, perhaps I could put a rush on things, otherwise,
sorry!


Cheers,

Dan
_______________________________________________
Bf-committers mailing list
[hidden email]
https://lists.blender.org/mailman/listinfo/bf-committers