[Mailman-Users] Can I enforce secure admin passwords?
Stephen J. Turnbull
stephen at xemacs.org
Wed Jun 3 03:48:13 CEST 2009
Kirke Johnson writes:
> I am concerned that list owners can put insecure admin passwords on
> their lists. My testing suggests that short passwords are accepted as
> well as alpha-only. The only control I have found is the length of
> admin passwords generated by Mailman. I have not located anything
> else that would enforce even minimal password security.
>
> Am I missing something here?
No, except that there are other security issues with all Mailman
passwords. Specifically, that these transactions are conducted over
unencrypted channels anyway. I think the passwords are also stored in
clear on the server (those of the list members are, since they appear
in monthly reminders) but I could be wrong about that.
It would be easy to add checks, I suppose, but you'd have to decide
what checks you want. I don't think it would be much more difficult
to add the concept of a user-supplied checker. Dealing with the link
and storage security issues would be more complex. You'll have to
wait for Mark to speak up to find out if there are any plans in 2.2.
For Mailman 3, I suspect this is all still pretty much up in the air.
Check the wiki and maybe post a feature request to Mailman-Developers.
I suggest posting a feature request to the tracker in any case so the
suggestion won't get lost.
More information about the Mailman-Users
mailing list