[Mailman-Developers] [Fwd: [vendor-sec] Weak auto-generated passwords in Mailman]

[Florian Weimer]

* Terri Oda:

> First off -- as far as I know, the mailman password generation 
> algorithm was never intended for significant security.  It was intended 
> to generate nearly-pronouncable (and thus easier to remember) passwords 
> as a mild deterrent to attackers.   I wouldn't really characterize this 
> is a security bug so much as a design choice that you may or may not 
> agree with.

Your users disagree.  As I wrote in the message forwarded by John, the
brute-force attack is entirely pratical and leads to real-world
security breaches.

> I'm not sure it makes sense to worry about the auto-generated passwords 
> when we're plaintexting them (and any archive data, and any email) 
> across the Internet.

It does.  The Internet is pretty resilent against casual
eavesdropping.  It takes much more effort to intercept passwords in an
email message than to run some script to recover the Mailman-assigned
password of a list member whose email address is known.

> The idea of sending sensitive data *by unencrypted email* is a bit 
> crazy.  Doesn't mean it's not done, but I don't want to spend a whole 
> lot of time designing a more secure mailman only to have people 
> complain that their email still isn't secure.  If you're really storing 
> sensitive documents, maybe you need to look at some PGP extensions to 
> Mailman as well...

Last time I checked, Mailman lables its member-only archives
"private", and the implicit promise to keep things posted to the list
private is not kept if the software assigns easily guessed to new
members.

I can only repeat that Mailman's current behavior surprises your users
*a* *lot*, and leads to security breaches.