[python-sg] Late to the party! :-)

Martin martin.brochhaus at googlemail.com
Sat Jun 25 10:22:13 CEST 2011 

Calvin, one more thing to notice:

I have accounts at 149 websites at the moment. Every site has a different
and completely random password. I don't know a single one password of any of
these sites, not even my GMail password. I only need to remember one master
password and that doesn't even have to be a super strong one.

How is this possible: passwordmaker.org.

Best regards,
Martin

On Sat, Jun 25, 2011 at 4:11 PM, Senthil Kumaran <senthil at uthcode.com>wrote:

> On Sat, Jun 25, 2011 at 08:50:06AM +0200, Calvin Cheng wrote:
> >     - Why you think that Mailman has bad privacy setup?
> >
> > I said it has a security flaw - Mailman users' passwords should not be
> sent
> > unencrypted over the air/wire. Users of mailman get 'reminder email's
> once in a
> > while that their password is 'blablabla' - in plaintext!!!!
>
> Okay, I get it.
>
> I think, it would be good idea to raise a bug-report with mailman
> project and see their suggestion. If not you, someone listening and
> possibly I can raise a report too,
>
> Two options could be followed.
>
> - Some kind of One-way Authentication scheme that allows only to reset and
> not
>  to retrieve. This is how web applications are doing. They allow you
>  choose another password instead of giving the password. As it
>  impossible to retrieve back.   This could be good project to hack on
>  in mailman project too.
>
> - Encrypted retrieving. Which, is unheard off and I think is practically
> impossible.
>
> Think of any list which allowed you to retrieve the password as
> opposed to reset the password, what did it do? Sent it via email only.
> BTW, I got confused as how mailman sending the password in plaintext
> makes one more vulnerable than some directly reading your email
> itself!
>
> Monthly reminder is a admin option, it can be turned off.
>
> Here is mailman's stance on passwords to use.
> http://www.list.org/mailman-member/node15.html
>
> And some interesting discussion:
> -  http://www.jwz.org/doc/mailman.html
> - http://www.gnu.org/software/mailman/jwzrebuttal.html
>
>
> I got curious as what the wireshark guys were using and found this:
> https://www.wireshark.org/mailman/listinfo/wireshark-dev
>
> :-)
>
> --
> Senthil
> _______________________________________________
> python-sg mailing list
> python-sg at python.org
> http://mail.python.org/mailman/listinfo/python-sg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-sg/attachments/20110625/3d8f5a8d/attachment.html>

More information about the python-sg mailing list