[Mailman-Users] How to turn off plain text passwords?

[Stephen J. Turnbull]

Jeffrey Walton writes:

 > The best I can tell, the Mailman threat model is naive or unrealistic.

It's neither.  It merely corresponds to a very low level of security,
and you are told that when you subscribe.

 > There are at least three threats which should be modeled.

"Should".  Why?  And why just these?

 > First is unknown attackers who are breaking into systems and
 > harvesting {user name, email. password} tuples. As a user, I got
 > nailed when GNU's Savannah was hacked.
 > 
 > I reused a password (bad dog!),

Indeed, and AFAIK if you can get access to a database of as few as 100
MD5-encrypted passwords, a modern PC can probably crack at least one
with a dictionary attack within a few hours.  Given the quality of
most of my own passwords, given an attacker with a $5000 machine I
doubt that "salted SHA256" would make that stretch by more than a
couple hours.  Encryption only helps a little bit, most likely the
people who reuse passwords also have relatively weak ones, and the
password may not be the most valuable part of such a tuple in any case.

 > The second threat is the system administrator. I understand a sysadmin
 > must be trusted, but why is he or she trusted so much that they are
 > entitled to plain text passwords?

Because they can get them anyway with wireshark or an appropriate
Mailman Handler?  (Avoiding this attack is left as an exercise for the
reader, as well as identifying the security issues introduced or not
handled at all by the more obvious "solutions".)

 > The third threat is government. Any government can compel a list
 > administrator to give up his or her {user name/email/password} list
 > *if* the list operated within its jurisdiction.

And more secure password lists help here just how?
Cf. http://www.jwz.org/gruntle/rbarip.html.

 > These are not theoretical threats. They happen in practice, and happen
 > too frequently.

And the real solution is obvious.  Don't use passwords at all,
although that doesn't help with security of the user name and email
lists.

The fact is, Google and Savannah don't care about security of their
users enough to provide more security than the users do themselves.

RMS has been quite open about it on several occasions when push came
to shove: it was more important that GNU systems use free software
than that they be secure.  And for Google, security is just a matter
of financial calculus: if they screw up in public, it will cost them
so many users and indirectly so much ad revenue, etc.

If they *did* care more than the users do, they'd use a public key
solution and prohibit passwords.

 > So to answer the security level question: store a salted hash of the
 > password using SHA-224/256 or Whirlpool. The use of SHA-2 or Whirlpool
 > stems from NIST [1,2] and ECRYPT [3] recommendations on algorithm
 > strengths. With a salted hash (using an appropriate hash function),
 > list managers don't need to do any research or configurations, and I
 > don't have to worry about hackers, system administrators, or most
 > government attacks.

Speaking of "naive".  The passwords are protected (but not fully
protected against system admins), but the lists aren't.  Do you
realize just what kind of trouble some poor lady could be in if you
let the addresses on your "battered wives" list leak?  "Dead" is well
within the realm of possibility!

Now, that may not be *your* problem, but it does put "paid" to this claim:

 > Finally, it makes more sense to fix the problem in one place (Mailman
 > source code, by the Mailman developers) rather than 10,000 places
 > (each Mailman installation, by every Mailman list manager).

That would be true if there were a "the problem".  There isn't.  There
are 10,000 problems, each a little different.  There are problems,
each a little different, 10,000 of them.  There are 10,000 problems,
each differing a little. ....