[Mailman-Developers] Hashing member passwords in config.pck
Tokio Kikuchi
tkikuchi at is.kochi-u.ac.jp
Sat Feb 12 02:30:52 CET 2005
Hi John,
Your message was just the same as I had in mind. (Sorry that I am not
good at wirting in english.)
John W. Baxter wrote:
> I used to be careful about saving my passwords for all the lists [Mailman*]
> I am subscribed to. I no longer bother...I request the mail out of the
> password if I need it (very rare).
>
> If the situation becomes a choice of
> 1. mail out the password becomes generate a new time-limited password and
> mail that
> Or
> 2. do away with passwords and have everything validated via a mailed-out
> URL
>
> I think I as a user would prefer 2.
I have been looking through the code and feel like doing away with
passwords totally may be a bad idea because people may want to keep his
password when changing their email addresses.
1. If user authentication is requied and not qualified by cookie, a
login web page is sent. User can either enter his password or request a
URL to be emailed out.
2. User can set his 'permanent' password in his option page.
3. User can set his cookie life time for later convenience. (May be when
requesting the URL in 1.)
4. Password is reset every time a user request the URL or his password sent.
It will take weeks for me to implement these in current code so...
> I concur with the idea of getting the simple patch out for the CAN-2005-0202
> problem quickly in 2.1.6 and getting the password removal/changes into a
> 2.1.7 [or 2.2 as has also been suggested] (pretty soon and with very little
> if anything else).
>
> --John (who for medical reasons can't be of any help, but must continue
> cheering from the sidelines. Sorry!)
Take care.
--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
More information about the Mailman-Developers
mailing list