On 2/12/2005 6:02, "Barry Warsaw" <[EMAIL PROTECTED]> wrote:
> On Sat, 2005-02-12 at 02:07, Bob Puff wrote: > >> So let me ask this: if we drop passwords for everything but the private >> archives, do we really need to do anything differently than the format >> currently in place? Do they really need to be one-way encrypted? Being able >> to email a forgotten password has its benefits. > > It's still worthwhile (in the long run) to hash the passwords. Some > people tend to re-use them, so stealing Mailman passwords can > potentially lead to cascading attacks. Password resets are fine. > I don't see how users remote from their normal email can make use of password resets. Without the old password, how do they prove they should be able to reset a subscriber's password? Thus they can't designate the new password, nor learn the generated one, remotely. I don't think the above kills the idea (I've changed my mind, with respect to the private archives, from what I said earler). --John _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org As a general rule, if you have questions regarding sensitive security issues, you can post them to [EMAIL PROTECTED], which is a closed distribution list. Please do not otherwise discuss sensitive security issues on any public mailing list, until such time as an official announcement has been made, including availability of a patch, etc.... Even if the issue has been publicly discussed in other forums, you should wait for the official announcements before discussing them publicly, whether on mailman-users, mailman-developers, or elsewhere.
