[Mailman-Users] mailman passwords
Jeffrey Goldberg
jeffrey at goldmark.org
Sun May 10 03:28:26 CEST 2009
On May 9, 2009, at 4:51 PM, Bernd Petrovitsch wrote:
> - Depending on the security situation of your laptop/desktop/..., most
> browsers allow you to let them remember the password for you. So
> you have to really enter it only the first time.
Everyone who is concerned about security should be very strongly
encouraging users to use good password management systems. If a user
doesn't switch between browsers and clients than the password
management systems in most browsers is good enough. For other users,
other solutions are needed. On the Mac, I'm a very big fan of
1password which works as a plug-in for several browsers, is set up for
smart syncing of your keychain across systems and has a number of
other very well thought out design elements. I've not really looked
at password management systems for other platforms, but I'm sure that
there must be some good ones out there.
Bringing this back to discussion of mailman, mailman helps illustrate
exactly why a good password management system is needed. Mailman
passwords are low value, low security. That is, there really isn't
too much damage that can be done with a password compromise (thus "low
value"). Also they get sent around in unencrypted email and typically
are used on unencrypted HTTP connections. Thus they are relatively
easy to get at.
But more most users they are very infrequently used. Thus, they are
extremely unlikely to be remembered unless stored on the users system
(reminder emails). But because they are unlikely to be remembered, if
users do set them, then it is very likely that users will use a
password scheme that is predictable.
That is they will either use the same password that they use on more
high value systems, or they will use a variant of such a password.
That is, they might use "mm-sekret" for mailman and "ba-sekret" for
their Bank of America account. But mailman systems shouldn't be asked
to treat your password as your banking password, but only as your
mailman password.
A good password management system means that your individual passwords
are not things that any human needs to remember. This frees them up to
be both strong individually and independent of each other, so that the
compromise of one of your passwords doesn't expose any of your others.
In my instructions to users, I added some explanation about these low
security passwords
http://lists.shepard-families.org/#sec-passwd
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
More information about the Mailman-Users
mailing list