[Mailman-Developers] Re: [Mailman-Users] Any way users can unsubscribe without a password?
Jay R. Ashworth
jra@baylink.com
Mon, 2 Apr 2001 10:30:14 -0400
[Filtered back to -devel]
On Mon, Apr 02, 2001 at 02:14:30AM -0400, Barry A. Warsaw wrote:
> >>>>> "JRA" == Jay R Ashworth <jra@baylink.com> writes:
>
> JRA> Two edged sword.
>
> JRA> I'm trying to remember whose message it is, Slashdot's, I
> JRA> think, that says "don't get your panties in a twist because
> JRA> we included your password in clear".
>
> JRA> This completely fails to take into account the "I use the
> JRA> same password many places" people.
>
> JRA> Getting the passwords out of the mail is a good thing... but
> JRA> mail is *still* sniffable. Depends how much security you
> JRA> want people to have...
>
> The last step (to be added /eventually/) is to allow users to suppress
> password containing emails unless they specifically hit "Email My
> Password To Me". This means 1) allowing them to inhibit monthly
> reminders on a per-user basis; 2) allowing them to suppress the
> password in the welcome message; 3) adding confirmation emails for
> things like changing their options.
>
> Shouldn't be hard to do, just takes time.
My favorite approach was always "ask the user for a challenge question
that describes their password *to them*, in addition to the password,
and then send them *that* if they can't remember it".
> Still, we /tell/ users not to use important passwords for their
> Mailman accounts, but I understand the Pinball Machine Rule[1] applies
> here.
>
> [1] The PMR is the observation that it doesn't matter a wit if the
> instructions are printed clearly for all to see, nobody will read
> them. They'll just drop their quarter(s) and start pushing buttons
> like a Tommy.
Classic. Whence cometh that one? If there's enough reference for it
in the Real World, I'll be Submitting It To Eric.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Baylink
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015