Ben Finney <ben+em...@benfinney.id.au> wrote: >> > A large part of my reason for reading via Gmane is to avoid yet >> > another set of authentication credentials. Especially one that I >> > never use; that's a security nightmare waiting to happen. So I'm not >> > interested in increasing my security exposure by making a Mailman >> > account on yet another site.
>> Yikes! What nightmare awaits those of us who've foolishly gone ahead >> and subscribed? What's my exposure, beyond some nefarious cracker >> impersonating me on emacs-orgmode? > The assumption here is that logging into the mailing list account is > something done infrequently to never for any given user. That's > certainly the case for just about any list I've subscribed to. > For an infrequently-to-never used passphrase, one of two things is the > case: either it's unique, or it is identical to the passphrase that > accesses some other set of services for the user. > Since it's an infrequently-to-never accessed service, it's an > unreasonable burden to expect the user to maintain unique passphrases > for every such service. If for this list, why not for every such list? > So what usually ends up happening is they're identical for a given > person across many different services. But the more that's the case, the > greater the exposure: any one of those services could manage their > security poorly, or simply be unlucky enough to attract a bored and/or > motivated cracker; and a compromise on any one of them removes any > expectation of security on any of the rest of the services where the > user has the same passphrase. > The sensible policy, therefore, is to cull the proliferation of such > passphrase-requiring infrequently-to-never-accessed accounts. Which, in > turn, means saying a polite “no thank you” to most requests to set up > new accounts. The common policy, however, is that you subscribe to the mailing list with the defaults, use the automatically gener- ated password to set the "account" to "no mail" and never bother again. Some mailing lists will send you a reminder of your "account"'s subscriptions once a month, some not even that. And should you really ever need to access your "ac- count"'s configuration, you can always use the "lost pass- word" link. Tim _______________________________________________ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode