Re: [aur-general] Password sent every month ?
Hi there ! Just new here. And I've been informed that Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month. Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system. And by the way, hello there, fellow arch users and devs ;) hi and welcome aboard arch! concerning your issue: you probably have heard the advice to use different passwords everywhere? also: the mailinglist password is not that important. it merely controls your subscription, so no sensible data is secured with it, it just prevents random people from fiddling with your subscription. that brings me to my next point: arch uses a software called mailman here, a mailinglist managing tool used widely on the interwebs, reviewed many times. you can also opt-out of receiving this reminder in your subscription options (protected by this password). i hope you see that this is not an security issue, but perhaps you want to change you maiman-password. signature.asc Description: OpenPGP digital signature
Re: [aur-general] Password sent every month ?
I agree with you, but i got a common pwd that I use on some websites where i don't log in frequently (if I forget the pwd, that's the first I try), so that was convenient. But yeah, i'm gonna change that pwd. I am still convinced this is a security breach, even if that's not a very important pwd as you pointed out. Just imagine a pirate that knows that the pwd is sent every month. He knows he just has to wait some weeks intercepting every sent mail. Anyway, thanks for the (very quick) answers :) please post your answers below the mail, you are answering to. this so-called bottom-post-policy is preferred on all arch mailinglists (i am aware of). and, as i said, you can opt-out of that resend - wich i am sure a lot of people do. happy arching! signature.asc Description: OpenPGP digital signature
Re: [aur-general] Password sent every month ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 13/06/2015 20:48, G. Schlisio wrote: I agree with you, but i got a common pwd that I use on some websites where i don't log in frequently (if I forget the pwd, that's the first I try), so that was convenient. But yeah, i'm gonna change that pwd. I am still convinced this is a security breach, even if that's not a very important pwd as you pointed out. Just imagine a pirate that knows that the pwd is sent every month. He knows he just has to wait some weeks intercepting every sent mail. Anyway, thanks for the (very quick) answers :) please post your answers below the mail, you are answering to. this so-called bottom-post-policy is preferred on all arch mailinglists (i am aware of). and, as i said, you can opt-out of that resend - wich i am sure a lot of people do. happy arching! Oh yeah, of course. that was just a fail with my web client ^^'' Thanks :) - -- Félix Piédallu Président du Club Robotronik Phelma 06 51 41 32 48 Manjaro Linux. Feel the freedom. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVfHxaAAoJEMJ1NtNxTzOfu3EQAMS5h5i4XE5n36fA0vuyLtGt 8FBEStzczX24keXb4mUO/Hs2HaxpDC4AhxofvutyN2t8fyhbFp6xJcKwdoFR7bxU 3ootbCEie3pUm5NiGPQH+doeW994YrJrS7FWm8z1z3ArAYbZ7OA+Q4664eWi20Zb nJpBMnjJm6vUXT4gzWktQkYKoilirUine+tWOHADzlU335ef4QDlg5GPt2irvbYz UEVo8V4D5AlAPsq5OtiiYAUh0TUkgMLWYChUe8EWXtEgCRbtxLMaKnQiU/bKAeP6 jc5cGjzAY7gohImUgR6FZhRn5NmECnfz3DpK9uHl2aFZvDjXPB2RakOBSMw6e7V1 pkGURwEk2y0RwIqEXK02M5TyjoGfr2AM9bpnM0oeEVOdrFfc6rIEAK0f3KzSdQaY AVPLa0KOS2brf2Bkh+qJc9vr/rZ65VAcoG1Fez1wYJCnpDgRxZqdUXQ1XHyMoVDQ 2w7WLtXI/m2FSZdYlrF0ST7Sy9w+1nI7+mA+vNiKN2BZ78h/I/r5FLmvhUExvWjv l6oOJDlT5jZycuChGmNuzZZ7TRsjrJN/WrY+eBxLC54N5gNFWv7oZvL/c49d9XG8 iOPWGa34tUUfCEs18NY26a4Gtbm9LDyPAnCDRWslEMtmJ8NfYvEJrxseYPdn+tkV W1Ey60nZO/TkN9p24u4g =jyfC -END PGP SIGNATURE-
Re: [aur-general] Password sent every month ?
On 13 Jun 2015 6:52 pm, G. Schlisio g.schli...@dukun.de wrote: Hi there ! Just new here. And I've been informed that Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month. Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system. And by the way, hello there, fellow arch users and devs ;) hi and welcome aboard arch! concerning your issue: you probably have heard the advice to use different passwords everywhere? also: the mailinglist password is not that important. it merely controls your subscription, so no sensible data is secured with it, it just prevents random people from fiddling with your subscription. that brings me to my next point: arch uses a software called mailman here, a mailinglist managing tool used widely on the interwebs, reviewed many times. you can also opt-out of receiving this reminder in your subscription options (protected by this password). i hope you see that this is not an security issue, but perhaps you want to change you maiman-password. I have to second this. Use a password manager and generate different passwords for everything and you don't have to sweat it if a password gets leaked (especially something non essential like this).
Re: [aur-general] Password sent every month ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Okay :) I agree with you, but i got a common pwd that I use on some websites where i don't log in frequently (if I forget the pwd, that's the first I try), so that was convenient. But yeah, i'm gonna change that pwd. I am still convinced this is a security breach, even if that's not a very important pwd as you pointed out. Just imagine a pirate that knows that the pwd is sent every month. He knows he just has to wait some weeks intercepting every sent mail. Anyway, thanks for the (very quick) answers :) Félix Piédallu Président du Club Robotronik Phelma 06 51 41 32 48 Manjaro Linux. Feel the freedom. On 13/06/2015 20:00, Ben Oliver wrote: On 13 Jun 2015 6:52 pm, G. Schlisio g.schli...@dukun.de wrote: Hi there ! Just new here. And I've been informed that Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month. Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system. And by the way, hello there, fellow arch users and devs ;) hi and welcome aboard arch! concerning your issue: you probably have heard the advice to use different passwords everywhere? also: the mailinglist password is not that important. it merely controls your subscription, so no sensible data is secured with it, it just prevents random people from fiddling with your subscription. that brings me to my next point: arch uses a software called mailman here, a mailinglist managing tool used widely on the interwebs, reviewed many times. you can also opt-out of receiving this reminder in your subscription options (protected by this password). i hope you see that this is not an security issue, but perhaps you want to change you maiman-password. I have to second this. Use a password manager and generate different passwords for everything and you don't have to sweat it if a password gets leaked (especially something non essential like this). -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVfHpBAAoJEMJ1NtNxTzOfoRcQAK/tO2E/fwE4AsXufLC953Gp FbUxPa9sLU+54wwiPdVpjI4PjGOm71sx4o4bUlvcWptVP2OJV9H7HTQRZb/3P3o0 mz6/GvY/t9M7/5D5LZAfzxP0CSvXoBYkrQETBdaNDPiUuAxYjiraw46qdYJbzXt3 P/ri/TTJ4WE9YEEwh9fpdg7kHB6EJvdDG33GGhRYQIb6MmkmP+rpOR9bUI2vl+EP DJTf8IvhFUEsvmTgz1ct74yL/ZT2XvWprXI2AvNjgnH6/jmTxREeeh/HPYGFUWj6 j3+SWjTKzTIq7VUn63tC1whel30jJDyBw9IoECN6QQ6ztdzKJY2zRp0prpHsOe0u yj5QkDRxe79yMuVQTNjuFryTrUA3EnpNbRED23qi+fkBz5GM0s992pnupV0z5qLr 8HlXywvItL2XPZkTecmOoK5S1yY8xu1pd0vc9od1nqJ3u6g8u8a+kEj7DzVnn6py y4haTcn7lK+FadpRoTnJLZNCHK7BH4s+DDQ/JgV1alunaKaBuDXIdKP8clvZKeUK LzAOd2IOY2xsI28n/eemXedPFgKpqSd5fj3bH5Y5bplDQ9jOQMHURO93xvF7fcsT NXaww4FJKKyIslukNY0DIUYrUIrnFpC+2N8YHNMdiv801o6cXKq9uLk9E2JRg4Ed heWYbkbp2UOAV6X8WaMh =Ekqk -END PGP SIGNATURE-
Re: [aur-general] Password sent every month ?
* Félix Piédallu fe...@piedallu.me [2015-06-13 19:42:55 +0200]: Hi there ! Just new here. And I've been informed that Normally, Mailman will remind you of your archlinux.org mailing list passwords once every month. Does it mean the passwords are saved somewhere ?! That means that my password is sent periodically. That's not the only account for which I use this password. That is a HUGE security breach. Please, change that system. Yes, Mailman stores password in plain-text in the current version. I think this was changed in Mailman 3, but that's rather new and radically different. But it's really something common. The sign up page even says this (in bold!): Do not use a valuable password as it will occasionally be emailed back to you in cleartext. As others pointed out already, using different passwords is a really good idea anyways. Many more pages store passwords in plaintext (they are just less honest about it) unfortunately. Florian -- http://www.the-compiler.org | m...@the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ pgpNJgPSfQ51S.pgp Description: PGP signature
