[Mailman-Developers] Hashing member passwords in config.pck

Thu Feb 10 20:18:36 CET 2005

To make Joel's words mine. Even, where the password is set by the server,
there are only so many passwords a person can remember - and invariably if
one signs up to multiple forums/ lists/ one tends to repeat the password. So
having the password mailed back is an unnecessary exposure. All that is
waiting to happen is for someone to develop code to sit waiting for the
monthly list reminders from Mailman and others, capture the login details
and access mailboxes.

Rui 

________________________________________________

Rui Correia
Advocacy, Media and Language Consultant
36 Finch St, 
Ontdekkers Park, Roodepoort, 
Johannesburg, South Africa
Tel/ Fax (+27-11) 766-4336
Cell (+27) (0) 83-368-1214

-----Original Message-----
From: mailman-developers-bounces+correia.rui=gmail.com at python.org
[mailto:mailman-developers-bounces+correia.rui=gmail.com at python.org] On
Behalf Of Joel Ebel
Sent: 10 February 2005 17:45
To: mailman-developers at python.org
Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck

I can't speak to whether the work is worth the benefit, but I'm 
definitely in favor of the change.  I've always questioned the benefit 
of having recoverable passwords.  I feel like a password should be a one 
way thing.  You put it in, and you can't get it back.  If you forget it, 
you have to reset it.  I think password reminders are unnecessary, and I 
don't really like having passwords in my email anyway.  Perhaps a 
reminder of how to access your membership settings and reset your 
password would be a better option anyway.

Joel

Barry Warsaw wrote:
> I think CAN-2005-0202 gives us the opportunity to finally implement what
> we have long considered an embarrassing exposure in Mailman's config.pck
> databases.  Member passwords are kept in this database in the clear. 
> The obvious fix is to hash member passwords and keep only the hash in
> the database.
> 
> We haven't changed this before now for two reasons:
> 
> 1. We would have to regenerate all member passwords, which is an
> administrative burden.  We might also need to implement checks to see if
> the passwords were cleartext or hashed and do the password comparison
> accordingly.
> 
> 2. This breaks all password reminders.
> 
> To fully address CAN-2005-0202 we're recommending sites regenerate their
> member passwords anyway, so this gives us an opening to fix this
> properly.  And we have a better internal password generator now too.
> 
> As for #2, well, I think most people hate those password reminders
> anyway, and we've decided that they are going away for MM3.  I don't
> think many people would shed too many tears if we killed off monthly
> password reminders for 2.1.6.  Doing that would also eliminate the
> requirement for the site list, since its primary purpose is to function
> as the sender of the reminder messages.
> 
> To do this for 2.1.6, we'd have to change the "Email My Password To Me"
> feature in the options page and in the member login page.  These would
> have to become a "create a new password for me" feature.  Also,
> crontab.in should not call mailpasswds anymore, or that script should
> turn into a simple "here's the lists you are on" reminder, without the
> password information in it.  This will require i18n updates too.
> 
> The downside to doing this now is that it's more coding work for 2.1.6
> and I'd like to get the new version out asap.  Still, this seems like an
> opportunity that we shouldn't lightly dismiss.
> 
> What do you all think?  Is anybody willing to take a crack at a patch
> for this?
> 
> -Barry
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/jbebel%40ncsu.edu
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers at python.org
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/correia.rui%40gmai
l.com