[blag-whereto] password security policy
beloumi at riseup.net
Fri Jul 24 12:24:04 UTC 2015
Am 24.07.2015 um 00:08 schrieb Abdur-Rahman Morgan:
> Thanks for pointing this out. The current mailing list for blag is
> located at lists.blagblagblag.org but the same issue would still
> remain true for both mail and http logins.
> I'll look into Securing Mailman's web GUI by using Secure HTTP/SSL
> and An encrypted mailing list with Mailman, Exim and Gnupg on Debian
> Thank you,
nice to see, that there is a quick response to security issues.
I have seen, this as an old and well known security hole in Mailman
A move to Mailman 3 seems to solve the problem:
" In Mailman 3, passwords are both stored in hashed form (i.e. /*not*/
clear text) and the monthly reminder feature has been removed. "
If the default password hash is really "salted sha512", I would strongly
recommend to replace it. I'm wondering why they have chosen such an
insecure default. I took a short look at GNU Mailman and I found there
are several password hashing schemes available. Unfortunately there is
no Scrypt, but Bcrypt is available.
HTTPS would be nice, but I think this is not as necessary as avoiding
this password policy. I think it is generally a bad practice to send
passwords anywhere whether hashed/encrypted or not and Mailman 3 does
not do it now.
I hope this helps to fix the problem.
> On 07/23/2015 11:55 AM, beloumi wrote:
>> I subscribed some minutes ago...
>> I was wondering,
>> 1. why my password was stored in plaintext
>> 2. why it was sent via mail over the net without any encryption?
>> This is a very dubious security policy...
>> Are there a reason to do so?
>> blag-whereto mailing list
>> blag-whereto at lists.aktivix.org
> blag-whereto mailing list
> blag-whereto at lists.aktivix.org
More information about the blag-whereto