[Mailman-Developers] Re: [Mailman-Users] Any way users can unsubscribe without a password?

Jay R. Ashworth jra@baylink.com
Mon, 2 Apr 2001 10:30:14 -0400 

[Filtered back to -devel]

On Mon, Apr 02, 2001 at 02:14:30AM -0400, Barry A. Warsaw wrote:
> >>>>> "JRA" == Jay R Ashworth <jra@baylink.com> writes:
> 
>     JRA> Two edged sword.
> 
>     JRA> I'm trying to remember whose message it is, Slashdot's, I
>     JRA> think, that says "don't get your panties in a twist because
>     JRA> we included your password in clear".
> 
>     JRA> This completely fails to take into account the "I use the
>     JRA> same password many places" people.
> 
>     JRA> Getting the passwords out of the mail is a good thing... but
>     JRA> mail is *still* sniffable.  Depends how much security you
>     JRA> want people to have...
> 
> The last step (to be added /eventually/) is to allow users to suppress
> password containing emails unless they specifically hit "Email My
> Password To Me".  This means 1) allowing them to inhibit monthly
> reminders on a per-user basis; 2) allowing them to suppress the
> password in the welcome message; 3) adding confirmation emails for
> things like changing their options.
> 
> Shouldn't be hard to do, just takes time.

My favorite approach was always "ask the user for a challenge question
that describes their password *to them*, in addition to the password,
and then send them *that* if they can't remember it".

> Still, we /tell/ users not to use important passwords for their
> Mailman accounts, but I understand the Pinball Machine Rule[1] applies
> here.
>
> [1] The PMR is the observation that it doesn't matter a wit if the
> instructions are printed clearly for all to see, nobody will read
> them.  They'll just drop their quarter(s) and start pushing buttons
> like a Tommy.

Classic.  Whence cometh that one?  If there's enough reference for it
in the Real World, I'll be Submitting It To Eric.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra@baylink.com
Member of the Technical Staff     Baylink
The Suncoast Freenet         The Things I Think
Tampa Bay, Florida        http://baylink.pitas.com             +1 727 804 5015