[Mailman-Users] mailman passwords

Jeffrey Goldberg jeffrey at goldmark.org
Sun May 10 03:28:26 CEST 2009 

On May 9, 2009, at 4:51 PM, Bernd Petrovitsch wrote:

> - Depending on the security situation of your laptop/desktop/..., most
>  browsers allow you to let them remember the password for you. So
>  you have to really enter it only the first time.

Everyone who is concerned about security should be very strongly  
encouraging users to use good password management systems.  If a user  
doesn't switch between browsers and clients than the password  
management systems in most browsers is good enough.  For other users,  
other solutions are needed.  On the Mac, I'm a very big fan of  
1password which works as a plug-in for several browsers, is set up for  
smart syncing of your keychain across systems and has a number of  
other very well thought out design elements.  I've not really looked  
at password management systems for other platforms, but I'm sure that  
there must be some good ones out there.

Bringing this back to discussion of mailman, mailman helps illustrate  
exactly why a good password management system is needed.  Mailman  
passwords are low value, low security.  That is, there really isn't  
too much damage that can be done with a password compromise (thus "low  
value").  Also they get sent around in unencrypted email and typically  
are used on unencrypted HTTP connections.  Thus they are relatively  
easy to get at.

But more most users they are very infrequently used.  Thus, they are  
extremely unlikely to be remembered unless stored on the users system  
(reminder emails).  But because they are unlikely to be remembered, if  
users do set them, then it is very likely that users will use a  
password scheme that is predictable.

That is they will either use the same password that they use on more  
high value systems, or they will use a variant of such a password.   
That is, they might use "mm-sekret" for mailman and "ba-sekret" for  
their Bank of America account.  But mailman systems shouldn't be asked  
to treat your password as your banking password, but only as your  
mailman password.

A good password management system means that your individual passwords  
are not things that any human needs to remember. This frees them up to  
be both strong individually and independent of each other, so that the  
compromise of one of your passwords doesn't expose any of your others.

In my instructions to users, I added some explanation about these low  
security passwords

  http://lists.shepard-families.org/#sec-passwd



-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

More information about the Mailman-Users mailing list