[Mailman-Developers] Hashing member passwords in config.pck
Chuq Von Rospach
chuqui at plaidworks.com
Thu Feb 10 17:22:29 CET 2005
On Feb 10, 2005, at 7:02 AM, Barry Warsaw wrote:
> I think CAN-2005-0202 gives us the opportunity to finally implement
> what
> we have long considered an embarrassing exposure in Mailman's
> config.pck
> databases. Member passwords are kept in this database in the clear.
> The obvious fix is to hash member passwords and keep only the hash in
> the database.
+1
> As for #2, well, I think most people hate those password reminders
> anyway,
yes. we have some folks on our lists who send us monthly "why haven't
you stopped doing this yet?" messages. it'd almost be amusing, if it
weren't so annoying... (grin)
> To do this for 2.1.6, we'd have to change the "Email My Password To Me"
> feature in the options page and in the member login page. These would
> have to become a "create a new password for me" feature.
+1
> The downside to doing this now is that it's more coding work for 2.1.6
> and I'd like to get the new version out asap. Still, this seems like
> an
> opportunity that we shouldn't lightly dismiss.
>
get the patch out with 2.1.6, then do 2.1.7 with the new password
stuff. I think that's reasonable.
More information about the Mailman-Developers
mailing list