[Mailman-Developers] password handling in MM3

[Ian Eiloart]

--On 9 July 2010 12:11:50 +0200 Anna Granudd <anna.granudd at gmail.com> wrote:

> Hi,
> when subscribing a user or creating a list in Mailman 3.0 we need to
> implement the use of a password for security reasons. Later the same
> password will be used for logging in to the settings pages. At the moment
> passwords are not handled at all which is why I filed bug #600780 (see
> [1]). However, we're not sure how to handle the passwords at the moment
> and would like your help with ideas and possible ways to implement this,
> which is why I want to start a discussion about the password handling/
> login function. What do we need to think of and how should this best be
> dealt with?

Most importantly, passwords must be securely hashed, so that they can't be 
read by the site or list admins, or by third parties.

That means that password resets must be offered to users, instead of 
password reminders.

Also, for sites like mine, it would be nice to have more than one password 
store. For example, I'd like to have users with addresses in the 
sussex.ac.uk domain authenticated against my current LDAP db, but non-local 
users authenticate against some other db (perhaps a different branch of the 
LDAP tree, but perhaps something local).




> Thanks,
> Anna
>
>
> [1] https://bugs.launchpad.net/mailman/+bug/600780
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives:
> http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe:
> http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.a
> c.uk
>
> Security Policy: http://wiki.list.org/x/QIA9



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/