On Sat, Nov 25, 2017 at 11:12:19AM +0100, Colin Smale wrote: > I just got an email from the mailing list system that my > account/membership had been disabled due to "excessive bounces". I have > no idea why, but that is not the point I want to make here. My point is > that the email I received contained my password to that account, in > plain text!
you mean the useless password to modify your list membership and options? I never set one, it will generate one for me and email to to me anyway. It is not supposed to be secure at all. Problem would be if someone sets the password and uses a "valuable" one, perhaps mistakenly thinking he should enter his OSM password there. > WTF#1: Why is it remembering the cleartext password and not a > non-reversible hash? > > WTF#2: Why is it sending my password around in the email? IMHO the password is useless for 97% of users and should cease to exist. Where some authentication to the list server is needed send a link or code via email or more secure methods. Richard _______________________________________________ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
