[Mailman-Developers] Making passwords easier for users

Thomas Wouters thomas@xs4all.net
Mon, 24 Apr 2000 23:29:48 +0200 

On Mon, Apr 24, 2000 at 12:09:44AM -0400, Owen Taylor wrote:
> Jim Hebert <jhebert@compu-aid.com> writes:
> > On 23 Apr 2000, Owen Taylor wrote:
> > > The other password related modification I was thinking of doing
> > > locally here is a little bit more radical - making it so that all
> > > passwords for a given email address are interchangable. Quite a few

> > [I am not a mailman developer. If I shouldn't be posting my .02, someone
> > please thwap me with the clue paddle...]

I'm not a Mailman developper either, but I'll give my fl0,02 as well ;)

[ snip ideas about passwords in Mailman, and it's security implications ]

> (4 randomly chosen upper or lower case letters - so the mean time for
> brute forcing one password is about 3.5 million tries. Weakening this
> by a factor of 10 would make it conceivable that someone could try
> it. On the other hand, if someone posts the form 350,000 times in a
> row, it probably will create a lot of other problems for a server.)

But, guys, it's a lot worse than that. Haven't you noticed Mailman can send
out password *reminders* every month ? It's no use to send out encrypted
passwords, so mailmans passwords *aren't* encrypted. They're just stored in
plaintext. If someone gets hold of the list databases, they *have* the
passwords, no efforts attached ;)

(This only goes for member passwords. The site password and the list
passwords are encrypted, either with crypt.crypt() or with md5.digest().)

The problem with the password ideas isn't security, because Mailman
passwords aren't that big a deal -- they're mostly protection against
malicious scriptkiddies trying to subscribe/unsubscribe someone else. The
problem is that there is no seperate user-database. (yet.) All users are
part of a list, and there is no easy way to see what lists, for instance, a
user is subscribed to (even if you were able to figure out which email
addresses are equal ;)

If I'm not mistaken, this is going to be remedied, though. Harald (i think?)
wrote a 'user database' that's supposed to be incorporated into standard
Mailman after the 2.0 release (or whenever it's ready.) Once it's there, all
kinds of kinky things like listing ones' aliases, choosing which list goes
to which alias, etc, can be written. And trust me, it'll be written, because
you're not the only ones crying out for it. :-)

*cry* *cry*-ly y'rs,
-- 
Thomas Wouters <thomas@xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!