[Mailman-Developers] Making passwords easier for users

Owen Taylor otaylor@redhat.com
24 Apr 2000 00:09:44 -0400 

Jim Hebert <jhebert@compu-aid.com> writes:

> On 23 Apr 2000, Owen Taylor wrote:
> 
> > The other password related modification I was thinking of doing
> > locally here is a little bit more radical - making it so that all
> > passwords for a given email address are interchangable. Quite a few
> 
> [I am not a mailman developer. If I shouldn't be posting my .02, someone
> please thwap me with the clue paddle...]
 
Its fine with me. Of course, I'm not a mailman developer either. ;-)

> This change has the effect of reducing the strength of the passwords: if I
> am on 15 lists with 15 different passwords, a dictionary attack against
> any of them is 15 times more likely to succeed and brings me 15 times more
> access for having broken it. 
> 
> OTOH, if you keep all your list passwords the same, the success
> probability is unchanged versus one list membership, but the latter
> observation that you get 15x the access is still true, so it's somewhat of
> a red herring.

Exactly. It significantly weakens the strength if the user is using
the randomly chosen Mailman passwords, but not otherwise. Unfortunately,
the passwords Mailman chooses are weak enough that this might 
actually matter. 

(4 randomly chosen upper or lower case letters - so the mean time for
brute forcing one password is about 3.5 million tries. Weakening this
by a factor of 10 would make it conceivable that someone could try
it. On the other hand, if someone posts the form 350,000 times in a
row, it probably will create a lot of other problems for a server.)

> Also, I don't know how much of a threat scenario this is, but if I can
> subscribe otaylor@redhat.com to some other list on the machine with a
> password of my choosing, I have the equivalent access of having otaylor's
> actual password(s) for the other lists. There are at least some sites
> where there isn't mutual trust among the list-owners.

Well, if you have list owners who are being actively malicious to that
extent... but yes, I could see where some people might consider it a 
problem.
 
> That said, admittedly, the security of ones list subscriptions aren't
> exactly the crown jewels. And people probably aren't exactly
> seeing massive dictionary attacks against their mailman
> installations... If this was a configurable thing for the paranoid (me?)
> defaulting to the current behavior I guess it couldn't hurt, eh?

My basic feeling about this change is that it is pretty hacky, 
and does weaken security a little bit. But many mailing lists
get along without any password protection system at all ... and
the tradeoff for users is:
 
 - the inconvenience of someone, just possibly, doing something
   bad to their list subscriptions.
 - the inconvenience of juggling a big pile of passwords.

So, I'll probably try implementing sometime when I have some time
(hah!) and see how it works out. I wouldn't suggest this as the
default, certainly. Though I would hope that people are thinking about
how Mailman could be migrated to one-password-for-user.

Regards,
                                        Owen