[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo) Larry Stone Thu Feb 02 08:12:31 2012

On Thu, 19 Jan 2012, Geoff Mayes wrote:

If Mailman provided a way around the passwords in the clear issue, I'm pretty sure we'd go with Mailman ...

My personal opionion is Mailman passwords are so insignificant that it really shouldn't be an issue. On the other hand, I recognize that you may have direction from above that because it's called a "password", it needs to be ulta-secure (there are, unfortunately, too many bosses who don't understand security and don't understand that different types of systems have different security needs). How much damage could be done if a Mailman user password was compromised? How much damage could be done if my on-line banking password was compromised? The answers are very different yet there are many who want them secured in the same way.

I so rarely use a Mailman password that I don't even try to remember it. If I need to use it on a Mailman system, I have it send it to me, use it, then forget it.

If someone wants to mess up my subscription on a Mailman system, well, go ahead. I have far more important things in life to worry about.

Also, consider how many other times passwords are sent in the clear, just not in email. A snail mail with a password is also a "password sent in the clear" yet few seem to have a problem with that. Maybe because I practice good password managment, I am less concerned about an email being snooped than I am about snail mail theft or privileged access abuses.

I would not worry about Mailman passwords being sent in the clear and instead, urge users to use good password practices. For Mailman, encourage them to let Mailman assign a password (and thereby, not reuse a PW). Because no matter what you do, people will reuse passwords, use the same password for low and high security needs, use easy-to-guess passwords, write them down, and other things that just make Mailman's password concerns the least of your organization's security concerns.

-- Larry Stone
Mailman-Users mailing list [EMAIL PROTECTED]
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/